As cyber-attacks continue to increase in frequency and intensity, companies have raced to tighten controls. Against this backdrop, last month the SEC adopted a set of cyber-security disclosure rules for public companies that require issuers to provide information to their investors and the market about material cyber-security incidents and the controls they have in place to protect against such attacks. The rules, which go into effect at the end of the year, will also cause investors to pay more attention to cyber- vulnerability and preparedness.
What is in the new SEC rules?
At a high level, the rules cover two sets of disclosure obligations. First, they require issuers to report material cyber-security incidents on Form 8K within four business days of determining that the incident is material. Whether an incident should be considered ‘material’ will be determined under the long-standing ‘reasonable shareholder’ and ‘total mix of information’ standard used to determine whether events require disclosure.
The SEC rules require that companies disclose a reportable incident to describe the material aspects of the incident (nature, scope and timing) and the material impact (actual and expected) of the incident on the company, its finances and its operations.
The rules also require issuers to make annual disclosures about their cyber-security risk management, strategy and governance. Companies will be required to disclose on Form 10K their processes for assessing, identifying and managing material risks from cyber-security threats.
This includes whether and how these processes have been integrated into the company’s overall risk-management system, whether any third parties are involved and what controls there are in place to address risks arising from vulnerabilities associated with using third-party service providers.
Companies will also need to describe how cyber-security threats have materially impacted the business’s strategy, result of operations or financial condition. In addition, companies must describe their board’s oversight of cyber-security risks and management’s role in assessing and managing these risks.
Foreign private issuers will be subject to comparable requirements. These issuers will need to disclose material cyber-security incidents on Form 6K and make annual cyber-security risk-management disclosures on Form 20F.
What changed from the initial proposal?
The SEC’s cyber-security reporting rules were first proposed in early March 2022 and – as might be expected – the proposal received significant commentary. In the intervening 15 months, the SEC revised the proposal to include some noteworthy changes.
With regards to incident reporting, key revisions include:
- Narrowing the information required to be disclosed about an incident. Recognizing that some details such as remediation status and what data was compromised may increase risk, the SEC chose to leave the decision of whether to disclose such details to the discretion of the company
- Adding narrow provisions for when reporting may be delayed. Specifically, when the US attorney general makes a determination in writing that disclosure would pose a substantial risk to national security or public safety (likely a rare occurrence in practice)
- Changing how companies should report material updates. Instructing companies to issue amended Form 8Ks, as opposed to including updated information in regular reports
- Eliminating the requirement to report incidents that in isolation are immaterial but that may be material when considered in the aggregate with other incidents. In practice, this may not be a meaningful change, as the SEC also broadened the definition of ‘cyber-security incident’ to specifically include ‘a series of related unauthorized occurrences’.
The SEC also made some modifications to the required annual disclosures, including:
- Significantly narrowing the details of what needs to be disclosed with respect to risk management, strategy and governance. This includes adding materiality qualifiers and reducing the level of detail required with respect to risk arising from third-party service providers
- Clarifying that disclosures should refer to ‘processes’ versus ‘policies and procedures’. This is a change made to capture processes that may not have been formally codified or written, but that nevertheless may provide insight into a company’s cyber-security preparedness
- Removing disclosure of several board-related issues, including descriptions of how cyber-security is integrated into overall strategy, the frequency of board discussions on cyber-security and disclosure of the level of cyber-security expertise board members possess. These changes reflect the SEC’s recognition that cyber-security is generally handled at the senior management level.
These changes may provide a window into the SEC’s areas of focus when it begins enforcing the rules, and they should be noted by any issuers that proactively began preparing for the rules when they were first proposed in early 2022.
Key takeaways
The SEC’s new disclosure requirements will likely increase investor scrutiny of a company’s cyber-security governance and controls. Accordingly, it is more important than ever for compliance teams and senior management to ensure they understand their company’s cyber-security weaknesses and vulnerabilities.
In particular, to address the SEC’s disclosure rules, issuers should consider the following steps:
- Ensuring teams in charge of cyber-incident response and reporting are aware of the new rules and have a clear escalation line to internal resources that manage SEC reporting. This may require new lines of communication
- Conversely, ensuring the company’s SEC reporting process includes consideration of cyber-security incidents and controls
- Reviewing existing cyber-security policies and processes to determine whether additional resources and support are needed
- Conducting risk assessments to identify and mitigate cyber-security vulnerabilities
- Assessing cyber-security expertise at the senior management level. This is a particularly important issue given the new reporting requirements
- Addressing potential vulnerabilities and risks arising from use of third-party service providers, whether by contractual arrangement and/or through effective diligence.
In addition, companies should make sure board members stay abreast of these issues. The SEC refrained from explicitly requiring that companies disclose board members’ cyber-security expertise and integration of cyber-security into an issuer’s overall strategy and governance, a retrenchment that may support limiting liability in an enforcement and private litigation context. Nevertheless, the fact that the SEC’s original proposal included these requirements suggests the SEC considers board oversight to be important.
The new disclosure rules reflect a continuing trend of regulators around the world tightening cyber-security standards. In fact, the SEC is considering more rules to enhance prescriptive obligations. In the meantime, these disclosure rules will increase scrutiny of cyber-security risks and vulnerabilities, bringing pressure to ensure issuers properly address these concerns.
Megan Gordon and Daniel Silver are partners with Clifford Chance. Brian Yin is an associate with the firm. They thank their colleague Rebecca Hoskins for her contribution to this article