On March 9, 2022, the SEC finally released its long-anticipated updated cybersecurity disclosure requirements. The proposed rules, inclusive of specifications both for incident reporting and for risk management and governance disclosure, were adopted by a 3-1 vote and are now subject to a public reporting period. The new rules, which the Commission’s press release says are “designed to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents,” underscore the Commission’s emphasis on cybersecurity reporting and disclosure issues.
The SEC’s March 9, 2022 press release about the proposed new rules can be found here. The Commission’s two-page “fact sheet” about the new rules can be found here. The Commission’s 129-page proposing release can be found here. Cydney Posner’s March 9, 2022 post on the Cooley law firm’s PubCo blog about the proposed rules can be found here.
The SEC’s focus on cybersecurity disclosure is nothing new. The Commission’s Division of Corporate Finance released cybersecurity interpretive guidance in October 2011. The Commission itself adopted disclosure guidelines in February 2018 (as discussed here). However, as Cydney Posner noted in her blog post to which I linked above, since the 2018 guidance release, “concern has been mounting that company responses to that guidance have been inconsistent, not comparable and not decision-useful.”
In the interim, the agency has made it clear through its enforcement actions that cybersecurity disclosure is an area of focus and priority. For example, as discussed here, in June 2021, the SEC announced that that it had settled charges that the cybersecurity disclosure controls and procedures of First American, a title insurance company, violated the agency’s public company reporting requirements. And as discussed here, in August 2021, the SEC announced that it had filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach.
The Proposed Rules
The proposed new rules address two categories of reporting and disclosure. First, the proposed rules address incident disclosure requirements. Second, the proposed rules address risk management and governance disclosure requirements.
With respect to incident disclosure requirements, the proposed rules require reporting companies to disclose information in a filing on Form 8-K about a material cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. The proposed rules also require reporting companies to provide updated disclosure relating to previously disclosed cybersecurity incidents, and further require companies to disclose, to the extent known to management, when a series of previously undisclosed individual immaterial cybersecurity incidents had become material in the aggregate.
With respect to risk management and governance disclosure, the proposed rules set out a number of additional requirements; the proposed rules require a reporting company to:
- describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity as part of its considers cybersecurity as part of its business strategy, financial planning, and capital allocation;
- disclose its board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the company’s cybersecurity policies, procedures, and strategies;
- provide disclosure regarding board member cybersecurity expertise.
Commissioner Hester Pierce dissented from the proposal, saying that “While the management of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how, and when to do so should be left to business – not SEC – judgment.” She added that the governance disclosure requirements “embody an unprecedented micromanagement by the Commission of the composition and functioning of both boards of directors and management of public companies.”
The proposed rules are subject to a public comment period of 60 days following the publication of the proposed rules release on the SEC’s website or 30 days following publication of the proposed release in the Federal Register, whichever period is longer.
The rules set out in the release are merely proposed and not immediately effective. It remains to be seen what form the final rules will take. As I noted above, there was a sense of inevitability that the Commission would update its prior cybersecurity disclosure guidance. But notwithstanding the inevitability that new rules would be proposed, I believe there are reasons to be concerned about the new proposed guidelines.
For starters, I have concerns about the proposed rules’ incident reporting guidelines. The rules require companies to issue an 8-K from four days after the company after the company determines that the cybersecurity incident is material. I can envision future squabbles over whether a company’s materiality determination was sufficiently timely. Reasonable minds could differ whether a materiality determination is the right trigger, particularly given the absence of any definition of a “material cybersecurity incident.”
I also have concerns about the proposed rule requiring disclosure about board member cybersecurity expertise. To be sure, a disclosure requirement is preferable to an affirmative requirement that board composition include directors with cybersecurity expertise. However, the disclosure requirement inevitably will put pressure on boards to add directors with cybersecurity expertise. Some might well say this would be a good thing. I worry though about adding yet another board composition expectation. Boards are already faced with diversity requirements and requirements for financial expertise. I have also heard earnest proposals that boards should also be required to include members with climate change expertise. I worry that sooner or later all of these board composition requirements could eventually crowd out from the board room directors that have expertise in the company’s business and industry.
I am also concerned about the requirement for disclosure of board’s “oversight” of cybersecurity risk. My concern here has to do with the increased risk in recent years of breach of the duty of oversight claims against corporate boards. I can easily foresee opportunistic plaintiffs’ lawyers alleging, with the benefit of 20-20 hindsight after a cybersecurity incident has occurred, that the company’s failure to detect or prevent the incident was contrary to the company’s representation of its board’s oversight disclosures.
This final point illustrates a concern I have noted in the past whenever the SEC has imposed increased disclosure obligations on reporting companies. That is, the implementation of a disclosure requirement carries with it the risk that companies later may be accused of violating the securities laws through its failure to fulfill the disclosure requirement. In other words, for me, the increased disclosure requirements embodied in the proposed rules represent a layer of increased liability risk, for companies and for their directors and officers. At a minimum, the proposed new disclosure requirements materially increase expectations for boards and for company management.