On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require current and periodic reporting of material cybersecurity incidents as well as more detailed disclosure of cybersecurity risk management, expertise, and governance. This alert summarizes the proposed changes, which are subject to public comment until the later of May 9, 2022 or 30 days after publication in the Federal Register.
Form 8-K Reporting of Cybersecurity Incidents
The proposed rules would amend Form 8-K to add a new Item 1.05 requiring disclosure of material cybersecurity incidents within four business days. The four business days would run from the date the company determines the incident is material, rather than the date the incident is discovered.
The new Item 1.05 would require a brief description of the incident, including, to the extent known:
- the date the incident was discovered and whether it is ongoing;
- the nature and scope of the incident;
- whether data was taken, modified, accessed, or used for any other unauthorized purpose;
- the effect on the company’s operations; and
- the extent of remediation.
Instruction 1 to proposed Item 1.05 would require that a materiality determination be made as soon as reasonably practicable after discovery of the incident. In addition, an ongoing internal or external investigation, including law enforcement investigations, into the cybersecurity incident would not be grounds for a delay in reporting it, even if state law would permit the company to delay providing public notice about the cybersecurity incident. However, failure to timely file a Form 8-K for this item would not result in a loss of Form S-3 eligibility.
Forms 10-Q and 10-K Updating of Previously Reported Cybersecurity Incidents
The proposed rules would require a company to provide material updates to its investors on a cybersecurity incident that was previously reported on Form 8-K.
New Item 106(d) of Regulation S-K would require a company to disclose in its Form 10-Q (or Form 10-K in the case of updates for the fourth quarter) any “material changes, additions or updates” relating to the previously reported cybersecurity incident, including but not limited to:
- material effects on the company’s operations and financial condition;
- potential material future effects on the company’s operations and financial condition;
- status of remediation; and
- modifications to policies and procedures that the company may have undertaken in connection with the incident.
New Item 106(d) would also require a company to disclose a series of previously undisclosed and individually immaterial cybersecurity incidents once they become material in the aggregate.
Form 10-K Disclosure of Cybersecurity Policies, Governance, and Management
The Form 10-K would be amended to include new Items 106 (b) and(c) of Regulation S-K, which would require disclosure of:
- Policies and procedures. Policies and procedures, if any, to identify and manage risks from cybersecurity threats, including whether:
- the company has a cybersecurity risk assessment program, and if so, to provide a description of such program.
- the company engages third-party cybersecurity consultants.
- the company has policies and procedures for the selection and oversight of third-party service providers, including whether and how cybersecurity is considered.
- the company undertakes activities to prevent or minimize cybersecurity incident effects.
- the company has business continuity, contingency, and recovery plans.
- the company has updated its governance, policies and procedures, or technologies as a result of previous cybersecurity incidents.
- past or reasonably likely future effects of cybersecurity incidents or risk are reasonably likely to affect the company’s operations or financial condition and if so, how.
- cybersecurity risks are considered as part of business strategy, financial planning and capital allocation, and if so, how.
- Board governance. Governance of cybersecurity risks, including:
- whether oversight is conducted by the full board, certain board members, or a board committee;
- how the board is informed about cybersecurity risks, and how frequently; and
- how cybersecurity risks are considered as part of business strategy, risk management and financial oversight.
- Management role and expertise. Management’s role and expertise in evaluating and managing cybersecurity risks and implementing cybersecurity policies, procedures, and strategies, including:
- the persons or committees who are responsible and their relevant expertise (e.g., prior work experience, education, or other background);
- whether there is a designated chief information security officer (or someone in a comparable position), and their relevant expertise and their location in the company’s organizational chart; and
- how such persons or committees are informed about and monitor cybersecurity incidents and how frequently they report to the board or board committee on cybersecurity risk.
New Proxy Statement or Form 10-K Disclosure on Director Cybersecurity Expertise
The proposed rules would also add a new Item 407(j) of Regulation S-K, which would require a proxy statement or Form 10-K to disclose whether any board member has cybersecurity expertise, naming them and detailing such expertise, such as prior work experience, education, or other background in cybersecurity. The designation of a board member as having cybersecurity expertise would not increase the duties, liabilities, or obligations of that director or decrease those of any other directors.
Foreign Private Issuers
Under the proposed rules, cybersecurity incidents would be added as a reporting event that may trigger a Form 6-K for foreign private issuers. In addition, Annual Reports on Form 20-F would require foreign private issuers to report updates and include disclosure comparable to Items 106 and 407 of Regulation S-K under Item 16J.
Interactive Data Requirements
The information under the proposed rules would be required to be provided in an interactive format under Regulation S-T.