SEC Proposes New Cybersecurity Risk Management Rules
It is more critical than ever to protect information systems and sensitive data from cyberattacks. Cybersecurity has become a growing area of concern for many companies, especially in the wake of looming threats from Russian hackers.
In response, the U.S. government is getting tougher on regulation. Top U.S. cyber officials are implementing measures to strengthen the government’s role in cybersecurity regulation.
“We’re at an inflection point. When critical functions that serve the needs of society are at issue, some things are just not discretionary,” stated Chris Inglis, the White House’s National Cyber Director.
The U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity disclosure rules for publicly listed companies in February 2022. The proposed rules mark a significant update to federal privacy laws. Their effect will be to enhance and standardize public company disclosures relating to cybersecurity. Unlike prior guidance released by the SEC, these rules would create mandatory disclosure requirements.
Reporting of Material Cybersecurity Incidents
The new rule, which is Item 106 of Regulation S-K, defines a “cybersecurity incident” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
While it depends on the company’s specific facts and circumstances, examples of material cybersecurity incidents may include:
- A security breach that has compromised the confidentiality, integrity, or availability of data or information networks
- A security breach that caused damage, interruption, or loss of operational technology systems
- A cyberattack in which a malicious actor has threatened to publicly leak sensitive data
- A cyberattack in which a malicious actor has demanded a ransom payment in exchange for the return of access to computer files, systems, or network
Under the new rules, companies must disclose their cyber policies and procedures on an annual basis. Such disclosure would be included in the Annual Report on Form 10-K that public companies must file with the SEC each year.
Companies would include any significant updates to cybersecurity policies and procedures in a Quarterly Report on Form 10-Q. If a material incident occurred, companies would disclose within four business days of the breach, on a Form 8-K Current Report.
The SEC has also proposed a rule change regarding cybersecurity expertise on public company boards. The proposal seeks to amend Item 407 of Regulation S-K in order to require companies to identify any director who has cyber expertise.
Additionally, under Item 106(c)(1) of Regulation S-K, companies would need to explain whether the entire board of directors, specific board members, or a board committee has oversight of cybersecurity risk management efforts.
Material Cybersecurity Incidents Form 8-K
Within four business days of determining a material cybersecurity incident has occurred, public companies are required to report:
- A brief description of the nature and scope of the cybersecurity breach
- When the company discovered the incident
- Whether any data was stolen, lost or altered
- Whether the company has taken any mitigating actions in response to the incident
- The impact on the company’s operations and whether the issue is ongoing
Materiality on an Aggregate Basis
Some companies may have had a series of minor cybersecurity incidents that are material in the aggregate. As a result, companies need to assess digital threats on an ongoing aggregate basis. The total mix of information, including both quantitative and qualitative factors, is important in determining whether minor incidents in the aggregate would be material enough to warrant public disclosure. Under the new proposed rule in Item 106(d)(2) of Regulation S-K, companies must report individually immaterial cybersecurity incidents that collectively are material.
Application to Foreign Private Issuers
The proposed cybersecurity disclosure rules would also apply to foreign private issuers. Such companies would report material cybersecurity incidents in their Annual Report on Form 20-F. Companies would disclose material updates to a company’s cybersecurity policies and procedures on a Form 6-K. Form 6-K would also disclose material cyber breaches.
Rationale for the New Rules
Companies, investors, and market participants may face a number of consequences as a result of cybersecurity threats and incidents. Such consequences may include:
- Business interruption costs
- Remediation costs
- Payments to meet ransom demands
- Litigation risks
- Harm to the company’s competitive position
“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” said SEC Chair Gary GEnsler. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”