On March 9, 2022, the Securities and Exchange Commission (the “SEC”) announced proposed rules (the “Proposed Rules”) that would require registrants to report certain cybersecurity incidents on Form 8-K within four business days of the incident. The Proposed Rules also would require registrants to provide updates on previously reported incidents and to disclose cybersecurity policies in periodic reports. The SEC has sought to require companies to report cybersecurity incidents since 2011, but it has described compliance as inconsistent. The Proposed Rules come one month after the SEC proposed similar disclosure requirements for registered investment advisors and investment companies and reflect the Biden administration’s continued focus on mitigating cyber vulnerabilities in the public and private sectors.
Although the SEC has previously identified cybersecurity as an important factor to investors and encouraged disclosure of incidents, the increase in the number and cost of cybersecurity incidents in recent years, especially since the onset of COVID-19, makes it more likely that the potential impact of a cyberattack would be material to a registrant. Accordingly, the Proposed Rules seek to increase disclosure obligations to investors with respect to cybersecurity incidents and management practices.
The Proposed Rules would (i) amend Form 8-K, adding an explicit requirement to disclose material cybersecurity incidents, and (ii) amend Form 10-Q and 10-K and Schedule 14A and 14C to require registrants to provide more substantial disclosure about cybersecurity threats, risk management, and ongoing updates to previous incidents.
Current Reporting Obligations – New Form 8-K Item 1.05
The amendment to Form 8-K would add Item 1.05, requiring registrants to disclose certain information about a cybersecurity incident within four business days after the registrant determines a material cyber incident has occurred. The triggering date is the date on which the registrant determines that the incident is material, not the date that it determines that an incident has occurred. But the registrant must make its materiality determination “as soon as reasonably practicable” after discovery. Ongoing internal or external investigations do not provide a basis for delaying disclosure. The SEC included this non-exhaustive list of triggering events under the new Item 1.05, if determined by the registrant to be material:
- An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset — data, system, or network — or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
- An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
- An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
- An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
The disclosure must include (i) when the incident was discovered and whether it is ongoing, (ii) a brief description of the nature and scope of the incident, (iii) whether any data was stolen, accessed, or used for any other unauthorized purpose, (iv) the effect of the incident on the registrant’s operations, and (v) whether the registrant has remediated or continues to remediate the incident. The registrant can omit information that would expose vulnerabilities to its information technology systems and information that might impede its proposed response.
Periodic Reporting Obligations – Forms 10-K, 10-Q, and Proxies
Because it often takes time to investigate and determine the full impact of a cyberattack, the Proposed Rules balance the new reporting obligations of Form 8-K with ongoing disclosure obligations in periodic reports. The Proposed Rules would amend Form 10-Q and Form 10-K to require registrants who previously experienced cybersecurity incidents to provide updated information about the incident, including the impact or potential future effect on the registrant’s operations and financial condition and any changes in policies to address future incidents. Importantly, it also would require disclosure when a series of previously undisclosed individually immaterial incidents become material in the aggregate.
Item 106 of Regulation S-K would require significant disclosure in each Form 10-K about a registrant’s cyber policies and risk management practices, including (i) policies and procedures, if any, for identifying and managing cybersecurity risks, such as the engagement of third-party cybersecurity experts and any business continuity and recovery plans in case an incident occurs, (ii) cybersecurity governance, including the board of directors’ role in overseeing cybersecurity, whether a specific cybersecurity committee exists, and the frequency of board discussions on the topic, and (iii) management’s role and relevant expertise in assessing and managing cybersecurity-related risks and implementing related policies, procedures, and strategies, including whether a specific officer is designated to manage cybersecurity and the registrant’s reporting system.
Amended Item 407 of Regulation S-K would require disclosure in Form 10-K and Schedule 14A and 14C about whether any of a registrant’s directors have cybersecurity expertise. Relevant factors in determining expertise include prior work experience, certificates or degrees in cybersecurity, and general knowledge and experience in the area.
In a statement in support of the Proposed Rules, SEC Commissioner Caroline Crenshaw agreed that cybersecurity may be the biggest threat to business growth in the near future. That threat could increase expenses and economic harm to reporting companies and their investors. She called the Proposed Rules “an important step forward in addressing this growing and ever-present risk.”