Cybersecurity Refresh: SEC Proposes New Cybersecurity Disclosure Rules

PDF

On March 9, 2022, the Securities and Exchange Commission (the “SEC”) voted to propose new cybersecurity disclosure rules for public companies. The aim of the proposed rules, which build upon interpretive guidance provided in 2011 and 2018, is to better inform investors about public companies’ risk management, strategy, and governance related to cybersecurity, as well as to provide timely notification to investors of material cybersecurity incidents.

Specifically, the SEC is proposing to:

• Require registrants to disclose material cybersecurity incidents in a Form 8-K (under a new Item 1.05) within four business days after the registrant determines that it has experienced a material “cybersecurity incident,” which is defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The rule proposal emphasizes the diligence expected of registrants in assessing materiality for purposes of complying with this new 8-K triggering event, which will require enhancements to disclosure controls and procedures for most public companies. Furthermore, the SEC states in its proposing release that ongoing internal and external investigations will not provide a basis for avoiding or delaying real‑time disclosure of material cybersecurity incidents. We expect this aspect of the proposed rulemaking – which prioritizes investors’ interest in real-time disclosure over the impact of such disclosures on ongoing investigations – to be a focal point of comments.
• Add a new Item 106 to Regulation S-K, which would call for registrants to make the following cybersecurity disclosures (primarily in the 10-K):
  
  - Describe the registrant’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation;
  
  - Disclose information regarding the board's oversight of cybersecurity risk;
  
  - Discuss management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies;
  
  - Provide updated disclosure (in both 10-K and 10-Q filings) relating to cybersecurity incidents previously disclosed in a Form 8-K; and
  
  - Disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.

• Amend Item 407 of Regulation S-K to require disclosure in proxy statements and 10-Ks regarding whether any member of the registrant’s board of directors has cybersecurity expertise. Where a registrant has concluded that a director has cybersecurity expertise, the registrant would need to disclose the name of the director and fully describe the nature of the expertise. While the proposed rules do not define what constitutes “cybersecurity expertise,” the SEC provides a non‑exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity.

The proposal would also require cybersecurity disclosures to be presented in inline eXtensible Business Reporting Language (iXBRL) format. Similar disclosure requirements are proposed for foreign private issuers.

The comment period will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer. For additional details, see the proposing release. Until the SEC adopts a final rule, registrants should continue to refer to the 2011 and 2018 interpretive guidance.

For additional information regarding the SEC proposed rulemaking, please contact a member of Maynard’s Cybersecurity and Privacy or Public Company Advisory teams.

Maynard’s next Public Company Breakfast Briefing, scheduled for Friday, May 20, 2022, will feature an in-depth discussion by members of the Cybersecurity and Public Company Advisory teams on cybersecurity issues facing public companies, including an assessment of the potential impact of the SEC’s proposed new disclosure rules on the handling of cybersecurity incidents frequently experienced by public companies.