On March 9, 2022, the Securities and Exchange Commission (the "SEC" or the "Commission") voted 3-1 to propose rules requiring current reporting on Form 8-K of material cybersecurity incidents, and periodic reporting on Form 10-Q or Form 10-K of any material updates to the previously reported incidents.1 Most notably, the SEC proposes to require a registrant to disclose a cybersecurity incident within four business days if the registrant determines the incident is material. In addition, a registrant would be required to provide in its Form 10-K disclosures about (A) its policies and procedures to identify and manage cybersecurity risk, (B) management's role and expertise in implementing the registrant's cybersecurity policies, procedures, and strategies, and (C) the board of directors' oversight role.2 Finally, the proposed rules would require disclosure of the cybersecurity expertise of its directors, which disclosure would be made in the registrant's proxy or information statement when action is to be taken with respect to the election of directors, and in its Form 10-K.3
The SEC's proposals build upon its previously issued interpretive guidance, which was issued in 2018 to assist public companies in determining when they may be required to disclose information regarding cybersecurity risks and incidents under existing disclosure rules.4
Form 8-K Amendments-Material Cybersecurity Incidents.
The proposed amendments would add a new Item 1.05 to Form 8-K requiring a registrant to disclose information about a cybersecurity incident within four business days after the registrant determines that the incident is material. A registrant is required to make a materiality determination regarding the cybersecurity incident as soon as reasonably practicable after discovery thereof.
As to when an incident is "material," the Proposing Release points to the tests set forth in cases such as Basic, Inc. v. Levinson and TSC Industries, Inc. v. Northway, Inc.5 "Cybersecurity incident" is defined broadly in the proposal: "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."6 "Information systems" is defined broadly to include any information resources owned or used by the registrant.
A registrant would be required to disclose in the Form 8-K the following about a material cybersecurity incident, to the extent the information is known at such time: (i) when the incident was discovered and whether it is ongoing; (ii) a description of the nature and scope of the incident; (iii) whether any data was stolen, accessed, altered or used for any unauthorized purpose; (iv) the effect of the incident on the registrant's operation; and (v) whether the registrant has remediated or is currently remediating the incident.7
The Proposing Release acknowledges that many states have laws that allow companies to delay providing public notice about a data breach incident or notifying certain constituencies of such an incident if law enforcement determines that notification will impede a civil or criminal investigation.8 However, the SEC dismissed those concerns, stating that those state law obligations are distinct from companies' obligations to disclose material information to their shareholders under the federal securities laws. In addition, the SEC highlighted that, under the Proposing Release, a registrant is not required to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, or potential system vulnerabilities in detail. As such, the SEC believes that the required reporting under the Proposing Release would not impede the registrant's response or remediation of the incident, and therefore the Commission rejected the possibility of a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident. Instead, the Proposing Release focuses on the importance of prompt public disclosure of information regarding material cybersecurity incidents to investor protection and well-functioning, orderly, and efficient markets.9
To view the full article, please click here.
Footnotes
1. See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Securities Exchange Act of 1934 (the "Exchange Act") Release No. 94382 (Mar. 9, 2022) (the "Proposing Release"), available here.
2. Id. at p. 19.
3. Id. at p. 19. A description of the filing requirements for foreign private issuers is set forth below.
4. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 21, 2018) [83 FR 8166], available here.
5. Id. at pp. 22-23. Information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available." TSC Industries v. Northway, 426 U.S. at 449. In articulating this materiality standard, the Supreme Court recognized that "[d]oubts as to the critical nature" of the relevant information "will be commonplace." But "particularly in view of the prophylactic purpose" of the securities laws, and "the fact that the content" of the disclosure "is within management's control, it is appropriate that these doubts be resolved in favor of those the statute is designed to protect," namely investors. Id. at 448.
6. Id. at p. 20.
7. Id. at p. 21.
8. Id. at pp. 25-26.
9. Id.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
