March 11, 2022
On March 9, 2022, the Securities and Exchange Commission (“SEC” or “Commission”) held a virtual open meeting where it considered a rule proposal for new cybersecurity disclosure requirements for public companies, primarily consisting of: (i) current reporting of material cybersecurity incidents and (ii) periodic reporting of material updates to cybersecurity incidents, the company’s cybersecurity risk management, strategy, and governance practices, and the board of directors’ cybersecurity expertise, if any.
The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022 (which is 60 days from the date that the rules were proposed). Below please find a summary description of the rule proposal, as well as certain Commissioner’s concerns related to the proposal.
Summary of Proposed Amendments
New Current Reporting Requirements
The proposed amendments would require current reporting of material cybersecurity incidents by adding new Item 1.05 to Form 8-K. As is the case with almost all other Form 8-K items, Item 1.05 would require companies to disclose material cybersecurity incidents[1] within four business days. The trigger date for the disclosure is the date of the materiality determination, rather than the date of discovery of the incident, although companies are required to make a materiality determination as soon as reasonably practicable after discovery. Required disclosure would include:
According to the release, “[w]hat constitutes “materiality” for purposes of the proposed cybersecurity incidents disclosure would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including: TSC Industries, Inc. v. Northway, Inc.,[2] Basic, Inc. v. Levinson,[3] and Matrixx Initiatives, Inc. v. Siracusano[4].”[5] The SEC noted in the proposed rule that it would not expect companies to disclose technical information about its planned response, cybersecurity systems, related networks and devices, or vulnerabilities “in such detail as would impede the company’s response or remediation of the incident.”[6] However, Item 1.05 would not allow for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident. Notably, however, an untimely filing of Item 1.05 disclosure on Form 8-K would not result in a loss of Form S-3 and Form SF-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability. With respect to foreign private issuers, the amendments would similarly create a disclosure trigger for cybersecurity incidents on Form 6-K.
New Periodic Reporting Requirements
Material Updates to Cybersecurity Incidents. The proposed amendments would add additional disclosure requirements to public companies’ quarterly and annual reports by introducing new Item 106(d) of Regulation S-K, which would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to proposed Item 1.05 of Form 8-K in the company’s Form 10-Q or Form 10-K for the covered period (the company’s fourth fiscal quarter in the case of a Form 10-K) in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate.
Risk Management and Strategy. In addition, public companies would be required to disclose their policies and procedures, if any, to identify and manage cybersecurity risks and threats. The company would also be required to describe whether it engages assessors or other third parties in connection with its risk assessment and any policies or procedures for risks in connection with the use of third party service providers. The other topics included in proposed Item 106(b) would require disclosure regarding whether the company undertakes to prevent, detect and minimize the threat of cybersecurity incidents; whether the company has business continuity, contingency or recovery plans in the event of cybersecurity incident; whether previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies; whether and how cybersecurity-related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition; and whether and how cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation.
Governance. Proposed Item 106(c) of Regulation S-K would require disclosure regarding the role of the board of directors and management in cybersecurity governance. With respect to the board of directors, companies would need to disclose whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks. Disclosure would also need to include a discussion of the processes by which the board is informed about cybersecurity risks, the frequency of discussions on cybersecurity, and whether and how the board or responsible board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. With respect to management, companies would need to disclose whether certain management positions or committees are responsible for measuring and managing cybersecurity risk and the relevant expertise of such persons. The company would also need to disclose whether it has designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the company’s organizational chart, the relevant expertise of any such persons, the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents, and whether and how frequently such persons or committees report to the board or a committee of the board on cybersecurity risk.
Director Cybersecurity Expertise. Proposed Item 407(j) of Regulation S-K would require companies to annually disclose (in proxy statements for their annual meetings of shareholders or their annual reports on Form 10-K) cybersecurity expertise of directors of the company, if any. If any member of the board has cybersecurity expertise, the company would be required to disclose the name of any such director, and provide such detail as necessary to fully describe the nature of the director’s expertise. Cybersecurity expertise would remain undefined, but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether the director obtained a certification or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Similar to the existing safe harbor with respect to “audit committee financial experts,” proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j).
Foreign Private Issuers. Comparable changes would be made to require similar disclosures on an annual basis on Form 20-F.
Structured Data Requirements
Disclosures required under the proposed rules would need to be tagged in Inline XBRL, which would include block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures. According to the release, “[t]his Inline XBRL tagging would enable automated extraction and analysis of the granular data required by the proposed rules, allowing investors and other market participants to more efficiently perform large-scale analysis and comparison of this information across registrants and time periods.”[7]
For additional information on the proposed amendments, please see the following links:
Commissioner Concerns
The Commission voted three to one in support of the proposed amendments, with Commissioner Peirce dissenting. Chair Gensler supported the proposed rules noting that “companies and investors alike would benefit if this disclosure were required in a consistent, comparable, and decision-useful manner.”[8] Chair Gensler emphasized two ways in which the proposed rules would enhance cybersecurity disclosure and allow investors to assess cybersecurity risks more effectively, by requiring (i) ongoing disclosures regarding companies’ governance, risk management, and strategy with respect to cybersecurity risks and (ii) mandatory, material cybersecurity incident reporting. Commissioner Peirce expressed some reservations about the proposal. Specifically, Commissioner Peirce voiced concern that: (i) the governance disclosure requirements could be viewed as substantive guidance for the composition and functioning of both the boards of directors and management of public companies; (ii) the policy disclosure requirements may pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach; and (iii) the Commission is not best suited to design cybersecurity programs to be effective for all companies. Although Commissioner Peirce was more supportive of the cybersecurity incident reporting requirements, stating that they provided guideposts for companies to follow in reporting material cybersecurity incidents, she was critical of the proposed rule’s inflexibility with regard to whether temporary relief from the disclosure requirements would best protect investors in cases of ongoing investigations.
For the published statements of the Commissioners, please see the following links:
As mentioned above, the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022 (which is 60 days from the date that the rules were proposed). Comments may be submitted: (1) using the SEC’s comment form at https://www.sec.gov/rules/submitcomments.htm; (2) via e-mail to rule-comments@sec.gov (with “File Number S7-09-22″ on the subject line); or (3) via mail to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090. All submissions should refer to File Number S7-09-22.
Takeaways
The proposed rule contemplates extensive changes to current reporting requirements, and many of the disclosure topics act as guidance with respect to the SEC’s expectations for public companies’ cybersecurity risk management, strategy, and governance. In light of these changes, public companies should consider the following:
__________________________
[1] Cybersecurity incident is defined to mean an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
[2] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).
[3] Basic Inc. v. Levinson, 485 U.S. 224, 232 (1988).
[4] 563 U.S. 27 (2011).
[6] Id.
[7] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022) at Part II.G, available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.
[8] Chairman Gary Gensler, “Statement on Proposal for Mandatory Cybersecurity Disclosures” (Mar. 9, 2022), available https://www.sec.gov/news/statement/gensler-cybersecurity-20220309.
[9] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022) at Part II.B.3, available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.
This alert was prepared by Alexander H. Southwell, Ashlie Beringer, Lori Zyskowski, Thomas J. Kim, and Julia Lapitskaya.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Privacy, Cybersecurity and Data Innovation and Securities Regulation and Corporate Governance practice groups, or the following authors:
Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com)
S. Ashlie Beringer – Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, tkim@gibsondunn.com)
Julia Lapitskaya – New York (+1 212-351-2354, jlapitskaya@gibsondunn.com)
We would like to thank Matthew Dolloff in our New York office for his work on this article.
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.