United States: SEC proposes required cybersecurity disclosures

SEC proposes rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies

In brief

On 9 March 2022, the US Securities and Exchange Commission (SEC) proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These rules are intended to enhance and standardize cybersecurity disclosures, and, if adopted in their current form, would require public companies to disclose cybersecurity-related policies, procedures and all material cybersecurity incidents.


Contents

Key takeaways

  • On 9 March 2022, the SEC proposed new disclosure requirements related to cybersecurity risk management, strategy, governance, and incident reporting.
  • Under the proposed rules, public companies would be required to file a report on Form 8-K within four business days of determining that a cybersecurity incident was material and would be required to report material changes as a result of the incident.
  • Public companies should consider updating or adopting cybersecurity policies and procedures, as the proposed rules would require disclosure of such policies and governance practices surrounding their implementation. 

Incident reporting requirements

Current incident reporting (Item 1.05 of Form 8-K)

The proposed rules would create a new reporting obligation on material cybersecurity incidents. In content and substance, this obligation is similar to US state data breach notification laws. Unlike data breach notification laws, however, a cybersecurity incident can be considered material even if it does not impact personal data. For example, an unauthorized party accessing, or exceeding authorized access, and altering, or stealing sensitive business information, intellectual property, or information that resulted, or may result, in a loss or liability for the company would be a material cybersecurity incident under the proposed rules, even though no personal data was affected.

In the proposed new Item 1.05 of Form 8-K, public companies would be required to provide specific information within four business days of determining that a material cybersecurity incident had occurred. Public companies would have to determine materiality as soon as reasonably practicable after the discovery of the incident. Some state data breach notification laws allow entities to delay notification to the relevant authorities in order to avoid impeding with a law enforcement investigation. The SEC, however, explicitly distinguishes this reporting obligation by stating that in "a situation in which a state law delay provision would excuse notification, there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law".

To the extent known at the time of the filing, public companies would be required to provide particular information about the material cybersecurity incident, including:

  1. The date the incident was discovered, and if the incident remains live.
  2. The nature and scope of the incident.
  3. If any data was stolen, altered, accessed, or used for any other unauthorized purpose.
  4. The impact of the incident on company operations.
  5. If the incident has been remediated or is in the process of being remediated.

The SEC does clarify it does not expect public companies to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems. Notably, the proposed rules do not include a definition of materiality as it relates to cybersecurity incidents.

Periodic incident reporting (Forms 10-K and 10-Q)

Because the Form 8-K disclosure requirement, if adopted, will lead to reports with incomplete information about a material cybersecurity incident, proposed Item 106(d)(1) of Regulation S-K would require public companies to disclose any material changes, additions, or updates to prior cybersecurity incidents in periodic reports.

Some examples of a material change include becoming aware of additional information, such as learning more about the scope of the incident or whether data was somehow altered, and any material impact of the incident on the public company's operations and financial condition.

The SEC also recognizes that incidents previously considered immaterial may become material in the aggregate, triggering a reporting obligation. Proposed Item 106(d)(2) would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. Public companies will need to analyze related cybersecurity incidents for materiality, both individually and in the aggregate.

Cybersecurity policies and procedures

In addition to the disclosures regarding cybersecurity incidents, the SEC's proposed Item 106 of Regulation S-K would require public companies to describe any policies and procedures in place to identify and manage cybersecurity risks in great detail. The SEC's proposed rules suggest public companies should disclose whether cybersecurity policies or procedures play a role in the company's financial planning, capital allocation and business strategy. Any mechanisms the company has in place to mitigate cybersecurity risks that arise from third-party interactions or access to company data would be disclosed as well.

Board involvement in cybersecurity

Board processes

As part of the proposed disclosure regarding a company's policies and procedures, the SEC focused on disclosures related to the role governance plays in protecting against cybersecurity incidents. Proposed Item 106 of Regulation S-K would require public companies to disclose details about the board's oversight of cybersecurity risk, including disclosure about how frequently the board discussed its cybersecurity incidents, policies and procedures.

Management processes

The disclosures under proposed Item 106 of Regulation S-K would require public companies to discuss management's role in assessing and managing cybersecurity risks and implementing the company's cybersecurity policies and procedures as well. Under the proposed rules, companies would be required to disclose whether or not they have a Chief Information Security Officer, as well as that person's background and expertise.

Comment Period

This rulemaking represents proposals by the SEC and the Commission is currently seeking public comment. The comment period for this rule proposal will be open for 60 days from the date on which the proposal appears in the Federal Register. Once comments are received, the SEC will consider those comments prior to issuing a final rule.

Director expertise

The SEC's proposed rules include an amendment to Item 407 of Regulation S-K that would require annual reporting or proxy disclosure about the board of directors' cybersecurity expertise if any. Specifically, proposed amendments to Item 407(j) would require public companies to disclose the names of any directors with expertise in cybersecurity and detail the nature of their expertise.

To read the full provisions of the proposed requirements, click here. If you have any questions about potentially commenting on this rule proposal, or about any public company, financial services rule, or privacy or cybersecurity law, please contact your Baker McKenzie lawyers.


Copyright © 2022 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.