SEC proposes new rules on public company cybersecurity incident reporting, risk management disclosures

The Securities and Exchange Commission (SEC) recently proposed rules requiring public companies to disclose a “material” cybersecurity incident within four days after determining materiality. The proposed rules, which are also meant to better inform investors about a company’s risk management programs, bring substantial new cybersecurity reporting requirements for SEC registrants. 

In announcing the proposal, the SEC noted that today’s increasingly damaging cyberattacks pose an escalating risk to public companies, investors, and market participants. Yet material cybersecurity incidents are often underreported or are not disclosed in a timely manner. 

The proposed rules are meant “to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents,” the proposal states. 

There are 60 days for public comment on the proposals, due on or before May 9, 2022. 

Get ready for rapid reporting

The most challenging aspect of the proposed rules is the mandate to file a Form 8-K report on a material cybersecurity incident within four business days after determining that an incident is material. (The timeline is based on the date the incident is determined to be material, not the date it was discovered, “so as to focus the Form 8-K disclosure on incidents that are material to investors,” the proposal states; but they make clear that they expect those materiality determinations to be made as soon as “reasonably practicable.”) 

These Form 8-K disclosures would have to include:  

• When the event was discovered (and if it is still in progress)
• Description of events
• Theft, access, or unauthorized use of data 
• Effects on operations
• Status of remediation 

The proposed rules would also mandate periodic updates of previous material incidents and any undisclosed incidents that, in retrospect, appear to have been material. Newly proposed Items 106(b) and (c) of Regulation S-K would require additional disclosures that include:

• Policies and procedures in place to identify and manage cybersecurity threats
• Management’s role in assessing and managing cyber-risks
• Cybersecurity governance, including the board of directors’ oversight of cyber-risks
• Any board expertise in overseeing cybersecurity risks, including the names of board members that possess such expertise through prior work experience, certification, or degree (new Item 407(j) of Regulation S-K)

The emphasis on board reporting is not surprising. Board involvement in cybersecurity programs has become a business imperative in recent years as cyberattacks become increasingly frequent and damaging. In fact, Gartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today. Board proficiency in cybersecurity indicates that an organization understands that cybersecurity has become a core business requirement – not an IT issue – that must be driven from the top down.

Determining materiality 

The SEC synthesized its criteria for materiality from existing Supreme Court rulings. Quoting from these rulings, the Commission encapsulated these decisions by noting that an incident becomes material if “there is a substantial likelihood that a reasonable shareholder would consider it important” when making investment decisions or if the incident would have “significantly altered the ‘total mix’ of information made available.” In other words, materiality would be determined by the significance a reasonable investor would place on the incident. 

According to the proposal, examples of material incidents include:

• Compromises of the confidentiality, integrity, or availability of an information asset
• Degradation, interruption, loss of control, damage to, or loss of operational technology systems
• Unauthorized access by a third party that results in alteration or theft of sensitive data or information that results in a financial loss or liability 
• A malicious actor offers to sell or threatens to disclose sensitive data
• A malicious actor demands payment to restore company data that was stolen or altered.

This materiality analysis would require registrants to delve deep into impacted systems, data, and networks. Organizations would need to “thoroughly and objectively” evaluate all pertinent information, including facts and circumstances surrounding the incident. The analysis should include both quantitative and qualitative factors. 

This would be a towering challenge for companies that lack expertise – or even basic experience – in performing a materiality assessment. The four-day reporting deadline would exacerbate an already complex process and could strain existing security teams. 

It’s time to take security seriously

The proposed rules are timely due to today’s escalating risks. The SEC says cybersecurity risks are rising due to: 

• Digitization of business operations
• Increase in remote work 
• Growing monetization of cyberattacks 
• Proliferation of digital payments 
• Increasing reliance on third-party service providers (and resulting escalation in incidents due to third-party provider vulnerabilities) 
• Increasingly sophisticated and effective cyberattack methods

It’s likely that many SEC registrants are aware of risk creep. Yet many (small to mid-size publicly traded companies) haven’t seriously addressed, much less implemented, cybersecurity risk management programs. For these companies, the SEC reporting requirements would likely be a very heavy lift.  

For instance, the four-day deadline to report an incident is an incredibly tight timeframe that would be challenging for most organizations, regardless of cybersecurity maturity and capabilities. Impacted organizations would need to get their forensics investigators on the ground to gather relevant data and perform a materiality analysis as quickly as possible, then deliver results within 96 hours.

Human expertise would be needed to objectively evaluate the total mix of information. For instance, the assessment should take into consideration all relevant facts and circumstances surrounding incidents, some of which may not have been captured by IT systems. 

On the upside, the SEC says that reporting of material cybersecurity incidents within four days would significantly improve the timeliness of incident disclosures, as well as provide investors with more “standardized and comparable” information. 

For their part, SEC registrants should take the proposed rules seriously. They provide a top-down approach to risk-based cybersecurity that can help businesses build a solid reputation – and trust – among investors, customers, and business partners.