Background
On March 9, the Securities and Exchange Commission (SEC) voted to propose cybersecurity disclosure requirements for public companies. The proposal follows the release of interpretive guidance on the matter in both 2011 and 2018. Though the existing guidance improved cybersecurity-related disclosures, Commissioner Caroline Crenshaw described them as “often inconsistent and unreliable.”
This cyber disclosure proposal is the latest in a series of recent cybersecurity-related rulemakings at the SEC. As Chair Gensler highlighted in his remarks, in January 2022 the SEC proposed rules to extend the scope of both Regulation Alternative Trading Systems (ATS) and Regulation Systems Compliance Integrity (SCI) to cover additional government securities and Treasury Department trading platforms, a shift intended to enhance both investor protections and cybersecurity. In addition, in February 2022 the SEC proposed new cybersecurity risk management requirements for registered investment advisers, registered investment companies and business development companies.
In proposing the rule, Chair Gensler also disclosed that SEC staff were preparing new related rulemaking recommendations on broker-dealers, Regulation SCI and Regulation S-P. He did not specify when the recommendations may be completed.
Summary of the Rule
The newly proposed rules would provide for standardized disclosures in two areas: (1) incident reporting and (2) risk management, strategy and governance. More specifically, the rules propose:
- On Incident Disclosures –
- Amendments to Form 8-K to mandate the disclosure of material cybersecurity incidents within four business days of when the registrant becomes aware of the incident.
- Alterations to Regulation S-K and Form 20-F to require registrants to provide updates to previously disclosed cybersecurity incidents, including to indicate when an immaterial cybersecurity incident becomes material.
- On Risk Management, Strategy and Governance Disclosures –
- Further changes to Regulation S-K and Form 20-F to require registrants to disclose:
- Policies and procedures for identifying and managing cyber risks;
- The board’s involvement in overseeing and managing cyber risk and the registrants’ broader cybersecurity governance; and
- Board members’ cybersecurity expertise. This would be included in the registrant’s annual reports and certain proxy filings and encompass the individual’s name and an explanation of their expertise.
Notably, the proposed rules do not provide for any reporting delays during an ongoing internal or external investigation related to a cybersecurity event. While an ongoing investigation might affect the specifics of the company’s disclosure, an ongoing investigation—which can be lengthy—is not on its own a basis to avoid disclosure of a material cybersecurity event. Further, several components of the proposed disclosures are similar to those included in the Cybersecurity Disclosure Act, legislation sponsored by Rep. Jim Himes (D-CT) that passed the House in July as part of a broader package of financials services bills. The SEC’s proposal also requires the submission of cybersecurity disclosures in Inline eXtensible Business Reporting Language.
Public comments will be accepted on the rule for 30 days after its publication in the Federal Register or 60 days after its publication on the SEC’s website, whichever period is longer. The formatting of this comment window is likely a response to calls from Republican lawmakers and SEC Commissioner Hester Peirce, who cautioned Chair Gary Gensler that limiting comment windows to only 30 days, particularly on high-profile rules, does not allow commenters sufficient time to prepare and submit robust responses.
Commenters are free to provide feedback on any aspect of the proposal, but the rule also requests input on 16 specific areas. The questions are wide ranging and cover topics including the events that would trigger mandatory disclosures, the viability of definitions included in the rule, and the scope of registrants that would be covered.
The commission’s three Democrats were unified in their support for proposing the rule, which Commissioner Peirce, a Republican, opposes. In a statement delivered at the agency’s March 9 meeting, Peirce cautioned that the proposal “flirts with casting [the SEC] as the nation’s cybersecurity command center,” and expressed concern that the rules, “while cloaked as a disclosure requirement … pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach.” However, Peirce did express tepid support for the proposed reporting of cybersecurity incidents. Though skeptical that the rules are necessary given the existence of the 2018 commission-level guidance, Peirce said the proposal provides “sensible guideposts” for reporting material cybersecurity incidents.
Outlook
Impacted groups are concerned that the disclosures required by the rule could create a playbook for bad actors. The SEC was wary of this possibility in its 2018 guidance, cautioning that the guidance was “not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts—for example, by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.” In the new proposal, the SEC cites this concern in explaining why it chose not to require public disclosure of Form ADV-C, recognizing that “the release of too much detail about a cybersecurity incident could further compromise cybersecurity of the victim, especially in the short term.”
In addition, while the four-day disclosure requirement would be new to cybersecurity incidents, it already applies to the myriad of other disclosures mandated by Form 8-K. Further, the definition of “materiality” used in the rule is unchanged from the standard currently in use by the SEC, and information is considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important.”
However, included in the omnibus bill enacted on March 11 was the Cyber Incident Reporting for Critical Infrastructure Act, which establishes a narrower 72-hour window for critical infrastructure owners and operators to disclose a cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA). Certain businesses are also required to report any ransom payments to the federal government within 24 hours, among other changes.
Brownstein Hyatt Farber Schreck attorneys addressed disclosure requirement uncertainty in a client alert last year and are experienced in the SEC’s regulatory process. Please reach out to our experienced team of legal and policy professionals for further analysis and support.
THIS DOCUMENT IS INTENDED TO PROVIDE YOU WITH GENERAL INFORMATION REGARDING POTENTIAL SEC RULE CHANGES REGARDING DISCLOSURE OF CYBERSECURITY BREACHES. THE CONTENTS OF THIS DOCUMENT ARE NOT INTENDED TO PROVIDE SPECIFIC LEGAL ADVICE. IF YOU HAVE ANY QUESTIONS ABOUT THE CONTENTS OF THIS DOCUMENT OR IF YOU NEED LEGAL ADVICE AS TO AN ISSUE, PLEASE CONTACT THE ATTORNEYS LISTED OR YOUR REGULAR BROWNSTEIN HYATT FARBER SCHRECK, LLP ATTORNEY. THIS COMMUNICATION MAY BE CONSIDERED ADVERTISING IN SOME JURISDICTIONS.