On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”
“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC Chairperson
According to the SEC, the proposed mandates would require information to be disclosed in a “consistent, comparable, and decision-useful manner” and fall in the following categories:
- Mandatory, ongoing disclosures on public companies’ governance, risk management, and strategy related to cybersecurity risks. Under the proposal, some examples of disclosed information would include: the company’s cybersecurity policies and procedures; how the company assesses and manages cybersecurity risks; how cybersecurity risks and incidents might impact the company’s financials; and the management’s role and oversight of cybersecurity risks.
- Mandatory, timely, cybersecurity incident reporting. The proposed mandates would require companies to disclose incidents on Form 8-K within four business days after a company determines it has experienced a “material” cybersecurity event. To the extent the information is known at the time of the Form 8-K filing, a company would have to disclose:
- “When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
When To Report A Material Cybersecurity Incident
The proposed trigger to report an incident depends on when the company determines that the cybersecurity incident it has experienced is material. While the materiality determination may coincide with the date of discovering the incident, it may also develop over time. The goal of the SEC’s proposal is to mandate reports about what is material to investors. Though the expectation is that companies will be prompt in making this determination (and reporting it within four business days), it is unclear how long it might take due to a number of factors. The SEC shared various cases that address what constitutes material information in regard to cybersecurity incident disclosures, including: TSC Industries, Inc. v. Northway, Inc.[i], Basic, Inc. v. Levinson[ii], and Matrixx Initiatives, Inc. v. Siracusano.[iii]
In general, an incident is material if company information available to shareholders is altered or compromised, or “if there is a substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision.[iv] The SEC recommends companies take a careful, objective assessment of the incident, and determine whether a reasonable investor would consider the incident to be material. Some examples of cybersecurity incidents that would trigger the necessity for Form 8-K disclosures under the proposed rule could be:
- An unauthorized compromising of information assets such as data, technological systems, and networks. These incidents can stem from intentional attacks or from the accidental exposure of the information assets. Compromised data includes sensitive business information, intellectual property files, and personally identifiable information.
- An incident that causes technology systems to be interrupted, degraded, or in operative; and
- An incident where a cybercriminal makes a ransom demand or threatens to expose company information to the public.
It remains to be seen how the final rule would come out but this standard of “materiality” would cover much more than what was previously considered by most companies to be “material.”
Concerns From Commissioner Pierce
The SEC voted 3-1 in support for the proposed amendments, with Commissioner Hester Peirce dissenting. Commissioner Peirce’s main concern was that the proposed rules are too dismissive of the need to work with other agencies on issues of cybersecurity. Other concerns included that the changes would lead to the micromanagement of both boards of directors and management of public companies, and that in light of the SEC’s 2018 Guidance, the proposed rules are unnecessary.
“We have an important role to play in ensuring that investors get the information they need to understand issuers’ cybersecurity risks if they are material. This proposal, however, flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.” – Hester M. Peirce, SEC Commissioner
The public is free to comment on SEC proposals for up to 30 days after publication in the Federal Register or up to 60 days after the proposal was made, whichever is longer. After that, the SEC will consider the public’s input and determine the next steps in enacting a final rule. Unless the SEC takes some steps to fast track the process, the timeline from a proposed rule to enacting a final rule can take an average of 450 days, so companies impacted by the SEC’s proposal could expect some version of cybersecurity disclosures to take effect probably no earlier than late 2022 or sometime in mid-2023 depending upon how much priority the agency places on enacting the regulation.
[i] TSC Industries v. Northway, 426 U.S. 438, 449 (1976)
[ii] Basic Inc. v. Levinson, 485 U.S. 224, 232 (1988).
[iii] Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011).
[iv] TSC Industries v. Northway, 426 U.S. 438, 449 (1976)