On March 9, 2022, the SEC proposed rules to enhance and standardize disclosures surrounding cybersecurity risk, management, strategy, governance and incident reporting. The proposed amendments would significantly expand disclosure obligations by requiring registrants to report a cybersecurity incident within four days after determining the incident is material, periodic reporting about a registrant’s cybersecurity policies and procedures, and the registrant’s overall governance, expertise, management, and oversight of cybersecurity. The overall goal of the proposed amendments is to inform investors about the cybersecurity risk management and strategy of registrants, while also providing timely notice of any material cybersecurity incidents.
The proposed amendments will be circulated for a public comment period, either 30 days from when it is published in the Federal Register, or 60 days after it is issued, whichever period is longer. Electronic comments can be submitted through the SEC’s internet comment form. Please see below for detailed information on the proposed rules and amendments.
New Form 8-K Item to Disclose a Cybersecurity Incident within Four Business Days
Form 8-K would be amended by adding a new Item 1.05 which would require registrants to disclose information about a material cybersecurity incident known at the time of filing, including (i) when the incident was discovered and whether it is ongoing; (ii) a brief description of the nature and scope of the incident; (iii) whether any data was stolen, altered, or used for any other unauthorized purpose; (iv) the effect of the incident on the registrant’s operations; and (v) whether the registrant has remediated or is currently remediating the incident.
To avoid impeding a registrant’s response or remediation of a cybersecurity incident, registrants are not expected to publicly disclose specific, detailed technical information about its incident response plans, cybersecurity systems, related networks and devices, or potential system vulnerabilities. Registrants are required to file an Item 1.05 Form 8-K within four business days of determining that it has experienced a material cybersecurity incident. In order to focus on cybersecurity incidents that are material to investors, the SEC has proposed that the trigger for Item 1.05 Form 8-K is the date that the registrant determines that a cybersecurity incident is material, rather than the date of discovery.
Under Federal regulations for certain regulated industries such as healthcare and financial services and many states’ breach notification laws, the event triggering a notification requirement may be different; the triggering event may be either the date of discovery of the breach or the date of determination that a breach (as defined in the state’s law or Federal regulation) has occurred. (Also, many Federal and state notification laws allow from 30 to 60 days before notification is required.) In some scenarios, the date of determination that the breach is “material” for 8-K reporting purposes and the date that trigger a notification requirement to affected individuals under applicable Federal and state laws will coincide—but not necessarily. Registrants are expected to be diligent and prompt in making a materiality determination.
Amend Forms 10-Q and 10-K to Include Updates to Cybersecurity Incidents That Were Previously Disclosed
Consistent with the proposed Item 1.05 for Form 8-K, the SEC has also proposed Item 106(d) of Regulation S-K to address cybersecurity incident disclosures in quarterly and annual disclosures. The proposed Item 106(d)(1) would require registrants to disclose any material changes, additions, or updates to information disclosed pursuant to Item 1.05 Form 8-K, to be filed on a Form 10-Q or a Form 10-K. The purpose of this proposed amendment is to balance the need for prompt and timely disclosure with the reality of that registrants may not have complete information at the time of filing.
Required Disclosures on Cybersecurity Risk Management, Strategy and Governance
Under proposed Item 106(b) of Regulation S-K, registrants will be required to disclose their cybersecurity risk management and strategy as well as relevant policies and procedures. Examples of this type of disclosure include disclosures regarding the existence of a cybersecurity risk assessment program, the selection and oversight of third-party service providers for incident response, and any activities designed to prevent, detect, and minimize the effects of a cybersecurity incident.
Additionally, under the proposed Item 106(b), the SEC expects registrants to disclose whether cybersecurity related risks and previous incidents have affected or are likely to affect the registrants operations or financial condition.
Proposed Item 106(c) would also require registrants to disclose the registrant’s cybersecurity governance. At a minimum, a registrant will need to discuss the following (i) whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks; (ii) the processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and (iii) whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. The goal of this proposed Item 106(c) is inform investors about the role the registrant’s board plays in cybersecurity risk management.
Finally, proposed Item 106(c)(2) requires registrants to describe management’s role in assessing and managing cybersecurity-related risks and in implementing cybersecurity policies, procedures, and strategies. Examples of this disclosure include information such as:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk; specifically, the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members.
- Whether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons.
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents.
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
Must Disclose the Board of Directors’ Cybersecurity Expertise
The SEC has proposed amending Item 407 of Regulation S-K by adding paragraph (j), which would require registrants to disclose information on the cybersecurity expertise of the members on the board of directors. If the disclosure requirement applies, the registrant would be obligated to disclose the names of the directors and provide the necessary details to describe the directors’ expertise. The SEC has not defined what constitutes “cybersecurity expertise” but a non-exclusive list of factors to consider include whether the director has any prior work experience in cybersecurity, whether the director has a certification or degree in cybersecurity, and whether the director has any knowledge, skills, or other background in cybersecurity. However, a director’s expertise will not hold them out as an expert for any purpose.
Registrants Must Tag Information in Inline XBRL
Finally, the SEC has proposed that the disclosures listed above must be tagged in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. Under the proposed requirements, registrants must include block text tagging of narrative disclosures and detail tagging of quantitative amounts disclosed within the narrative disclosures. The rationale behind the Inline XBRL tagging is to benefit investors by making disclosures more readily available by also allowing interested parties to more easily aggregate, compare, filter and analyze information.
How to Prepare
Companies evaluating the potential impact of the proposed amendments, would be well-served to revisit their existing cybersecurity plans, policies and protocols, in light of the potential shift in timing of disclosure of a material cybersecurity incident and enhanced disclosure obligations. Buchanan has a team of committed professionals in its Securities Practice Group and Cybersecurity and Data Privacy Group ready to assist registrants in evaluating their existing cybersecurity framework, so as to be proactively prepared for adoption of the enhanced requirements.