SEC Proposes New Cybersecurity Disclosure Rules for Incident Reporting, Risk Management, Strategy and Governance – Perkins Coie | Region & Cash

As cybersecurity threats to the private and public sectors increase, the government has continued efforts to improve cybersecurity outside of government-controlled systems. On March 9, 2022, the US Securities and Exchange Commission (SEC) published proposed rules related to cybersecurity risk management, strategy, governance and incident disclosure for publicly traded companies subject to the reporting requirements of the Securities Exchange Act of 1934. These rules are different from rules proposed for registered funds and advisers from February 2022 and are intended to improve and standardize public company disclosures.

Noting long-standing concerns about the need for organizations to maintain secure and reliable information systems, the SEC also highlighted new and growing vulnerabilities and threats such as digitization, remote working, reliance on cloud and other third-party services, digital and virtual payments, and sophisticated ransomware- and malware campaigns. These factors pose a risk to the broader economy, generating costs and consequences for companies and investors. As a result, the SEC found that “cybersecurity is among the most critical governance-related issues for investors” and that “there may also be a positive correlation between a registrant’s stock price and investments in certain cybersecurity technologies.” The SEC further assessed that cybersecurity-related disclosures based on its 2018 Interpretive Release did not conform to uniform material or procedural standards and were not always distinguished from other, unrelated disclosures.

Accordingly, the SEC found that investors would benefit from “more timely and consistent disclosures” by publicly traded companies of several categories of cybersecurity-related information: (1) material cybersecurity incidents, (2) risk management and strategy, (3) governance and ( 4) Cybersecurity expertise among board members. The reporting requirements proposed by the SEC are discussed in more detail below.

Major cybersecurity incidents

The SEC is proposing to amend the Form 8-K to require disclosure of “material” cybersecurity incidents within four business days. The four-day period would begin after an organization has determined that a cybersecurity incident was material, rather than from the date of the incident itself. In this regard, the rule would require an organization to make a materiality determination “as soon as reasonably practicable” after an incident was discovered. In particular, the proposed rule does not contain a provision to delay a report so as not to hamper an internal – or external – investigation.

The definition of “materiality” plays an important role in determining the scope of this reporting obligation. The SEC proposed the familiar definition that courts use in securities cases: Information is material “when there is a reasonable likelihood that a reasonable shareholder would consider it important” to making an investment decision, or when disclosure “would change materially.”[] the “overall mix” of information made available to investors”. TSC Industry. v. Northway426, US 438, 449 (1976); Basic, Inc. v. Levinson485 US 224 , 232 (1988). In the cybersecurity context, a materiality analysis would include quantitative and qualitative assessments of both the likelihood and potential magnitude of losses.

The SEC provided the following examples of incidents that would trigger reporting requirements if an entity determines they are material: compromising the confidentiality, integrity, or availability of data or a network; an impact on operational technology systems; theft, unavailability or authorization of sensitive business information; blackmail-related threats to release stolen information; and ransomware attacks.

The proposal would require a company to report, to the extent known, the following: (1) when an incident was discovered and whether it was ongoing; (2) a brief description of the incident; (3) whether data has been extracted, altered, accessed or used for any unauthorized purpose; (4) how the incident affected the Company’s operations; and (5) whether the Company had or was in the process of resolving the incident. The SEC would Not expect that such disclosures—which would be public—contain specific or technical information about its response plans, security systems, networks, vulnerabilities, or other information that could assist attackers or hinder remedial efforts. The proposed rule would thus balance the SEC’s assessment of what investors need to know quickly against the potential risks of detailed public disclosure.

The SEC also proposes to amend Forms 10-Q and 10-K to update previous cybersecurity incident disclosures, including past and potential company impacts, status of remediation efforts, and upcoming changes to the company’s cybersecurity posture. The changes would also require disclosure of each set of individually non-material cybersecurity incidents that collectively become material.

risk management and strategy

A proposed change to Regulation SK would require “consistent and informative” disclosure of cybersecurity risk management and strategy. In addition to disclosing a company’s own cyber risk management, the new rule would also include disclosures about how a company selects and monitors third-party providers to manage and mitigate cyber risk. The rule would further require disclosure of how a company considers its overall business strategy and plans for the cyber risks associated with its business model, such as: B. the collection and handling of sensitive data or the increasing dependence on technology. The rule is intended to provide investors with information sufficient to assess the risk to a company and how the company works to manage those risks and their potential impact. To that end, where appropriate, the rule would require disclosure of whether (1) the organization has a cybersecurity risk assessment and management program in place (if so, the rule would require a description); (2) Company engages third parties in connection with the Program; (3) the company has policies and procedures for assessing cyber risks associated with third party providers and considers the risks of third party providers when selecting and monitoring these providers; (4) the company’s cybersecurity programs are informed of previous cybersecurity incidents; (5) cyber security risks and incidents have affected or could reasonably affect the business; and (6) cyber security risks are considered as part of the company’s business strategy, planning and capital allocation (and how).

guide

The SEC is also proposing to amend Regulation SK requirements to require companies to disclose how both board and management hold accountability for cyber risk. Proposed disclosures would include details on “cybersecurity governance, including board oversight of cybersecurity risks.” Required disclosures include, but are not limited to (1) whether cybersecurity risk oversight is the responsibility of the entire board, a committee, or specific board members; (2) procedures for informing the board of directors about cybersecurity risks and how often the board discusses those risks; and (3) whether and how the board (or committee) assesses cyber risk as part of its overall strategy, risk management and financial oversight.

In addition to a description of the board’s responsibilities, the proposed rule would require “a description of management’s role in the assessment and management of cybersecurity risks.” Organizations would need to describe management’s cybersecurity expertise and role in implementing cybersecurity measures. Examples of disclosures include (1) the responsibilities of managers or management committees for cyber risk assessment and management, including mitigation, and their relevant expertise; (2) whether the company has a chief information security officer (CISO) or similar role, the management chain to which that role reports, and the relevant expertise of the incumbent; (3) the process by which managers responsible for cybersecurity are informed of and oversee cybersecurity efforts, including the identification and remediation of cybersecurity incidents; and (4) whether and how often managers responsible for cybersecurity report to the board (or board committee) on cyber risks.

expertise

Further amendment to Regulation SK would require disclosure of directors’ cybersecurity expertise. Companies would identify those directors with relevant expertise and describe the nature of that expertise, which could include previous work experience, degrees or certifications, and relevant knowledge and skills. The description of a director as a cybersecurity professional in such disclosure would not result in that director being considered a cybersecurity professional for any other purpose; would not impose any additional duties, obligations or liabilities on that Director; and would not limit the duties and responsibilities of any other director.

Note: The comment period for the proposed rules is May 9, 2022. If you have any questions about the proposed rules and their impact on an individual or entity, please seek advice and guidance on how to comply with the reporting requirements once they become effective.

© 2022 Perkins Coie LLP

Leave a Comment