In March of this year, the Securities and Exchange Commission (SEC) proposed a set of rules and amendments that the agency expects will strengthen the financial sector’s defense against cyberattacks. They seek to standardize disclosures and admissions of material cybersecurity incidents and improve visibility into a company’s cybersecurity risk management and governance policies to better inform investors.
SEC Proposed Cybersecurity Rules
According to the SEC, while public companies have improved their cyber disclosures the last few years, overall, they have done a poor job of making appropriate public disclosures.
When examining the concern that serious cybersecurity incidents are not being reported, the SEC notes: “Certain cybersecurity incidents were reported in the media but not disclosed in registrant’s filings.” When they were reported, the SEC notes a lack of timeliness, specificity, and consistency.
Previous SEC Guidance
In 2018, the SEC issued guidance about how to handle and disclose cyber risks and events. The 2018 guidance reinforced and enhanced the previous guidance issued in 2011. It outlined situations where a company should disclose cybersecurity risks and events.
Since then, the SEC has not been shy about taking enforcement actions as needed. For example, last year, The SEC’s enforcement action against one of the leading providers of title insurance and settlement services for lack of cybersecurity controls and procedures.
In June 2021, the Office of Information and Regulatory Affairs announced its Unified Agenda of Regulatory and Deregulatory Actions, which are short- and long-term regulatory actions that administrative agencies plan to take. The SEC’s cyber initiative was on the list.
The Extent of the Proposed SEC Cybersecurity Rules
The SEC is moving away from a principles-based disclosure regime to a more deliberate and prescriptive one, the proposed rules are long and detailed.
Company Senior Leadership can think of the proposed disclosure rules as falling into four categories:
- Cybersecurity incidents (on a current and then updated basis)
- Procedures for identifying and managing cybersecurity risks
- Corporate governance/board oversight
- Management’s role in assessing and managing cybersecurity risks
- Cybersecurity Incidents
The SEC is proposing registrants disclose material cybersecurity incidents within four business days “after the registrant determines that it has experienced a material cybersecurity incident” on Form 8-K.
The proposed definition of “cybersecurity incident” is expansive while the definition of “material” remains consistent with its normal use in securities law, which is to say “there is a substantial likelihood that a reasonable shareholder would consider it important.
Notably, the proposed rules do not consider any exceptions to the four-day rule, including, for example, if law enforcement were to prefer a company not make any disclosure as they are investigating or attempting to catch a bad actor.
Moreover, it goes without saying that whether and when a company determines that an incident is material will be subject to second-guessing by regulators as well as the plaintiffs’ bar. The four-day window is extremely short, particularly given the broad definition of “cybersecurity incident”:
Cybersecurity incident means an unauthorized occurrence on or conducted through a registrant’s information system that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Proposed amendments to Form 8-K (Item 1.05) also state that an ongoing internal or external investigation related to the cybersecurity incident would not be an excuse for a reporting delay.
As proposed, the new disclosure requirements would include:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
- The effect of the incident on the registrant’s operations
- Whether the registrant has remediated or is currently remediating the incident
After the initial report, the proposed rules (proposed Item 106(d)(1) of Regulation S-K) would require disclosures of any material changes, additions, or updates to cybersecurity quarterly on Form 10-Q or annually Form 10-K.
These updating disclosures would include:
- Any material impact of the incident on the registrant’s operations and financial condition.
- Any potential material future impacts on the registrant’s operations and financial condition.
- Whether the registrant has remediated or is currently remediating the incident; and
- Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
The proposed rules would also require disclosure of “when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate,” for example, if a bad actor conducts small but continuous cyberattacks against the same company.
In other words, if these attacks were quantitatively or qualitatively material, a company would need to disclose them in the periodic report.
- Procedures for Identifying and Managing Cybersecurity Risks
In its proposed rules, the SEC notes that “most of the registrants that disclosed a cybersecurity incident in 2021 did not describe their cybersecurity risk oversight and related policies and procedures.”
The new rules would create disclosures around a public company’s ability to identify and manage cyber risks. These would include whether:
- The registrant has a cybersecurity risk assessment program and if so, provide a description of such program.
- The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program.
- The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents.
- The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
- Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies.
- Cybersecurity related risk and incidents have affected or are likely to affect the registrant’s results of operations or financial condition and if so, how; and
- Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how
- Corporate Governance/Board Oversight
The proposed rules ask reporting companies to disclose specifics of the board’s role when it comes to cybersecurity risk oversight, including:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks.
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
Notably, the SEC also wants registrants to disclose the cybersecurity expertise of board of director members, including the name and details of their expertise (Regulation S-K, Item 407(j)).
This is equivalent to the current requirement to name financial experts serving on a company’s audit committee. The SEC thinks that having a board member with cybersecurity expertise is as important as having at least one audit committee member who is a financial expert.
The proposed rules contemplate providing a safe harbor for any named cybersecurity experts on the board of directors by noting that such persons will not be considered experts with enhanced duties or liabilities for any purpose, including Section 11 of the Securities Act.
The SEC further notes that “conversely, we do not intend for the identification of a cybersecurity expert on the board to decrease the duties and obligations or liability of other board members.”
- Management’s Role in Assessing and Managing Cybersecurity Risks
The SEC also wants public companies to describe management’s role in cybersecurity, including, but not limited to:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members.
- Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons.
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
Many components of the SEC’s proposed cyber disclosures seem reasonable and sensible when analyzed individually; but when taken as a whole, the proposed rules are nothing short of overwhelming.
The proposed rules may be especially overwhelming for smaller public companies, which, as the SEC observes, “Generally provide less cybersecurity disclosure as compared to larger registrants.”
The SEC acknowledges how difficult it is to measure the impact of the proposed rules. For instance, when proposing new rules, the SEC is required to assess their potential economic impact. However, with these new rules, the SEC merely notes that it is “unable to quantify the potential economic effects because we lack information necessary to provide a reasonable estimate.” This statement surely applies both to potential benefits and costs.
We will all have to see to what extent the proposed rules are finalized. At this point, there have been a number of comment letters on a variety of topics were submitted.
Also, many Cybersecurity analysts are stating that Companies may want to reassess their cyber insurance limits. The cyber insurance market is already under tremendous pressure; the new rules will only add to the burden. In the past, companies have relied on their insurance brokers and other experts to help them assess their potential financial exposure in the case of a breach, but there was not much pressure to purchase limits of insurance commensurate with these levels of exposure. The SEC’s push for disclosure about how companies assess and manage their cyber risk will put pressure on companies to purchase more cyber insurance than they have in the past. Working with an expert when it comes to cyber insurance will be key to creating an appropriately sized cyber insurance risk management program.
Certainly, SEC’s urgency about cyber-related disclosure is justified. It will be interesting to see whether the SEC will consider some of the concerns raised by the numerous comment letters submitted for consideration. In any case, it is clear that the SEC is committed to implementing a version of the proposed rules. Senior Leadership will want to be sure that their companies are starting to take steps towards compliance now.
Modevity Delivers An Array of Investigative Due Diligence Services
Modevity Contact Information
Tom J. Canova, Co-Founder, Chief Marketing Officer
Modevity, LLC
610-251-0700