Proposed SEC rules on cybersecurity risk management

0

On March 9, the SEC proposed rules1 on cybersecurity risk management, strategy, governance and incident disclosure. Proposed rules build on SEC’s 2011 report2 and 20183 advice on cybersecurity risks and incidents. Although previous guidance has generally improved reporting on these matters, varying disclosure practices among companies of different sizes and industries regarding a wide range of cybersecurity events has prompted the SEC to take additional steps toward more standardized reporting. .

Incident Report – New Form 8-K Item 1.05 (Current Report)

To provide investors with more timely and comparable disclosure regarding material cybersecurity incidents, the SEC is proposing new Section 1.05 of Form 8-K to require a company to disclose the following information, to the extent it is known at the time of filing, within four business days of determining that it has suffered a material cyber security incident:

  • When the incident was discovered and if it is ongoing;

  • A brief description of the nature and extent of the incident;

  • If data has been stolen, altered, accessed or used for other unauthorized purposes;

  • The effect of the incident on business operations; and

  • Whether the company has remedied the incident or is in the process of doing so.

Notably, it is the significance determination rather than the discovery of the incident that is the trigger for Form 8-K reporting purposes. Companies would be required to make these materiality determinations – objectively considering all relevant facts and circumstances, including quantitative and qualitative factors, from the perspective of a reasonable investor based on the total combination of information – as soon as reasonably possible after discovering an incident. It is important to note that the SEC would not expect a company to disclose specific information or details that would impede its response or remediation to the incident.

Updates to Incident Reporting, Risk Management, Strategy and Governance – New Regulation SK Section 106 (Periodic Reporting)

Recognizing the dynamic and evolving nature of cybersecurity incidents, the SEC is proposing new Regulation SK Section 106 to provide investors with information in Forms 10-K and 10-Q about material changes or updates to previously reported reports (under Section 1.05 of Form 8-K as described above) cybersecurity incidents as well as a series of individually undisclosed non-material cybersecurity incidents that have become material in the aggregate. Some of the potential types of disclosure that should be provided with respect to previously reported incidents include:

  • Any significant impact of the incidents on the operations and the financial situation of the company;

  • Any potential material future impact on the operations and financial condition of the company;

  • Whether the company has remedied or is in the process of remediating the incidents; and

  • Any changes in company policies and procedures as a result of the incidents, and how the incidents may have informed those changes.

With respect to any series of undisclosed individually insignificant cybersecurity incidents that have become material in the aggregate, the disclosure to be provided is the same as that required in item 1.05 of Form 8-K.

Beyond disclosure regarding cybersecurity incidents, Section 106 would also require a company to provide the following disclosure of its risk management, strategy, and governance regarding cybersecurity risks in its Form 10-K:

  • Policies and procedures, if any, to identify and manage cybersecurity risks, with specific discussion of whether, among other things:

    • The company has a cybersecurity risk assessment program;

    • The company engages evaluators, consultants, auditors or other third parties in connection with the program;

    • The company has business continuity, contingency and cybersecurity incident recovery plans; and

    • Changes in corporate governance, policies and procedures or technologies have been informed by past cybersecurity incidents.

  • The role of the board of directors in overseeing cybersecurity risks, including the processes by which the board is informed of cybersecurity risks, the frequency of its discussions on the subject and if and how the board (or a committee of the board -ci) considers cybersecurity risks as part of its business strategy, risk management and financial oversight; and

  • Management’s role and relevant expertise in assessing and managing cybersecurity risks and implementing related policies, procedures and strategies.

Cybersecurity Consulting Expertise – New Regulation SK Section 407(j) (Form 10-K or Power of Attorney Statement)

Finally, given the continued focus on the role of a company’s board of directors in cybersecurity, the SEC proposed to amend existing Section 407 of Regulation SK to require disclosure of any expertise in cybersecurity of the members of the board of directors of a company, including the name(s) of these directors. While the SEC has not defined what constitutes such cybersecurity expertise, it does note that a company should consider, among other things, prior work experience as a cybersecurity administrator, certification, or certification. a degree in cybersecurity, along with knowledge, skills, or other cybersecurity background to make the determination.

Next steps

Proposed rules are subject to a comment period of at least 60 days. In light of the proposed disclosure requirements, companies should: (1) review and assess their policies and procedures for identifying and managing cybersecurity risks, including the role of management in this regard; (2) analyze their cybersecurity governance, particularly with respect to oversight by their boards of directors; (3) review proposed reporting mechanisms for material cybersecurity incidents, particularly with respect to materiality determinations and the reporting of undisclosed individually insignificant incidents that become material in the aggregate; and (4) continue to consider cybersecurity expertise in their assessment of current and potential board members.

Footnotes

1 See Cybersecurity, Risk Management, Strategy, Governance and Incident Disclosure available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf (March 9, 2022).

2 See CF Disclosure Guidance: Topic No. 2 available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (October 13, 2011).

3 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, available at https://www.sec.gov/rules/interp/2018/33-10459.pdf (February 26, 2018).

Copyright © 2022 Womble Bond Dickinson (US) LLP All rights reserved.National Law Review, Volume XII, Number 70

Share.

About Author

Comments are closed.