On 09 March 2022, the US Securities and Exchange Commission (SEC) proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These rules are intended to enhance and standardize cybersecurity disclosures, and, if adopted in their current form, would require public companies to disclose cybersecurity-related policies, procedures and all material cybersecurity incidents.

Key Takeaways

  • On 9 March 2022, the SEC proposed new disclosure requirements related to cybersecurity risk management, strategy, governance, and incident reporting.
  • Under the proposed rules, public companies would be required to file a report on Form 8-K within four business days of determining that a cybersecurity incident was material and would be required to report material changes as a result of the incident.
  • Public companies should consider updating or adopting cybersecurity policies and procedures, as the proposed rules would require disclosure of such policies and governance practices surrounding their implementation. 

Incident Reporting Requirements

Current incident reporting (Item 1.05 of Form 8-K)

The proposed rules would create a new reporting obligation on material cybersecurity incidents. In content and substance, this obligation is similar to US state data breach notification laws. Unlike data breach notification laws, however, a cybersecurity incident can be considered material even if it does not impact personal data. For example, an unauthorized party accessing, or exceeding authorized access, and altering, or stealing sensitive business information, intellectual property, or information that resulted, or may result, in a loss or liability for the company would be a material cybersecurity incident under the proposed rules, even though no personal data was affected.

In the proposed new Item 1.05 of Form 8-K, public companies would be required to provide specific information within four business days of determining that a material cybersecurity incident had occurred. Public companies would have to determine materiality as soon as reasonably practicable after the discovery of the incident. Some state data breach notification laws allow entities to delay notification to the relevant authorities in order to avoid impeding with a law enforcement investigation. The SEC, however, explicitly distinguishes this reporting obligation by stating that in “a situation in which a state law delay provision would excuse notification, there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law”.

To the extent known at the time of the filing, public companies would be required to provide particular information about the material cybersecurity incident, including:

  1. The date the incident was discovered, and if the incident remains live.
  2. The nature and scope of the incident.
  3. If any data was stolen, altered, accessed, or used for any other unauthorized purpose.
  4. The impact of the incident on company operations.
  5. If the incident has been remediated or is in the process of being remediated.

The SEC does clarify it does not expect public companies to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems. Notably, the proposed rules do not include a definition of materiality as it relates to cybersecurity incidents.

Periodic incident reporting (Forms 10-K and 10-Q)

Because the Form 8-K disclosure requirement, if adopted, will lead to reports with incomplete information about a material cybersecurity incident, proposed Item 106(d)(1) of Regulation S-K would require public companies to disclose any material changes, additions, or updates to prior cybersecurity incidents in periodic reports.

Some examples of a material change include becoming aware of additional information, such as learning more about the scope of the incident or whether data was somehow altered, and any material impact of the incident on the public company’s operations and financial condition.

The SEC also recognizes that incidents previously considered immaterial may become material in the aggregate, triggering a reporting obligation. Proposed Item 106(d)(2) would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. Public companies will need to analyze related cybersecurity incidents for materiality, both individually and in the aggregate.

Cybersecurity policies and procedures

In addition to the disclosures regarding cybersecurity incidents, the SEC’s proposed Item 106 of Regulation S-K would require public companies to describe any policies and procedures in place to identify and manage cybersecurity risks in great detail. The SEC’s proposed rules suggest public companies should disclose whether cybersecurity policies or procedures play a role in the company’s financial planning, capital allocation and business strategy. Any mechanisms the company has in place to mitigate cybersecurity risks that arise from third-party interactions or access to company data would be disclosed as well.

Board Involvement in Cybersecurity

Board processes

As part of the proposed disclosure regarding a company’s policies and procedures, the SEC focused on disclosures related to the role governance plays in protecting against cybersecurity incidents. Proposed Item 106 of Regulation S-K would require public companies to disclose details about the board’s oversight of cybersecurity risk, including disclosure about how frequently the board discussed its cybersecurity incidents, policies and procedures.

Management processes

The disclosures under proposed Item 106 of Regulation S-K would require public companies to discuss management’s role in assessing and managing cybersecurity risks and implementing the company’s cybersecurity policies and procedures as well. Under the proposed rules, companies would be required to disclose whether or not they have a Chief Information Security Officer, as well as that person’s background and expertise.

Comment Period

This rulemaking represents proposals by the SEC and the Commission is currently seeking public comment. The comment period for this rule proposal will be open for 60 days from the date on which the proposal appears in the Federal Register. Once comments are received, the SEC will consider those comments prior to issuing a final rule.

Director expertise

The SEC’s proposed rules include an amendment to Item 407 of Regulation S-K that would require annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise if any. Specifically, proposed amendments to Item 407(j) would require public companies to disclose the names of any directors with expertise in cybersecurity and detail the nature of their expertise.

Author

Amy serves as the Co-chair of Baker McKenzie's North American Financial Regulation and Enforcement Practice, which provides our clients with a full range of regulatory advice and enforcement counseling. Amy also serves on the steering committees of the Firm's Global Financial Services Regulatory and Global Financial Institutions Groups. Previously, Amy has served as chief litigation counsel at the US Securities and Exchange Commission's (SEC) Philadelphia regional office and managed a team of lawyers overseeing a wide variety of enforcement matters.

Author

Cyrus Vance Jr. is a partner in Baker McKenzie's North America Litigation and Government Enforcement Practice as well as the Firm's Global Compliance and Investigations Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice. Prior to joining Baker McKenzie, Cyrus served three consecutive four-year terms as Manhattan District Attorney. In this role, he oversaw a team of more than 600 prosecutors handling landmark criminal prosecutions and more than 100,000 cases each year, including investigations and prosecutions of complex, high-profile white collar and business crimes both in the US and internationally, coordinating with global crime-fighting partners including City of London Police, Paris Prosecutors’ Office, Singapore Attorney General, Europol, and Interpol.

Author

Brian Hengesbaugh is Chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers.

Author

Jennifer serves as the Co-chair of Baker McKenzie's Financial Regulation and Enforcement Practice in North America. Jen is an experienced investment management lawyer with particular focus on investment adviser regulation and the convergence of investment advisory and brokerage services. She regularly represents clients before the US Securities and Exchange Commission (SEC), both in seeking interpretative guidance and in managing examination and enforcement matters. Jen is a leading practitioner in digital investment advice and the use of FinTech in the asset management industry.

Author

Jeremy Moore is a member of the Firm's North America Transactional Practice Group based in the Houston office. Jeremy's practice focuses on mergers and acquisitions, public offerings and private placements of debt and equity securities, private equity investments and general corporate matters. Mr. Moore also advises clients on securities compliance issues, including Exchange Act reporting.

Author

Harry A. Valetk is a partner in the Global Privacy and Security Practice group based in New York, advising global organizations on privacy and data security compliance requirements. He regularly supports companies in financial services, retail, pharmaceutical/ healthcare, travel/hospitality, cloud technology, and manufacturing industries. His practice is focused on delivering commercially practical advice to highly regulated companies on designing security, privacy, and technologically compliant solutions.

Author

Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.

Author

Sarah J. Rodrigue is an associate in the Transactional practice group of Baker McKenzie’s Houston office. Sarah began her career with the Firm as a summer associate in 2018.