On Wednesday, March 9, the U.S. Securities and Exchange Commission (SEC) proposed a rule change that would require current and periodic reporting of material cybersecurity incidents. The rule would also require disclosures on what a company is doing to help address cybersecurity risks, such as any policies and procedures that have been implemented to identify and manage cybersecurity risks and the impact these risks have on the company's business strategy. Management's role and cybersecurity expertise would also have to be disclosed as part of the rule change.
The rule change comes in response to the rising cases of cybersecurity incidents that can significantly impact the financial performance or position of a company. It is also meant to address deficiencies in how companies disclose cybersecurity incidents based on the current interpretive guidance.
Current Disclosure Requirements
Historically the SEC has not established disclosure requirements in Regulations S-K or S-X that specifically refer to cybersecurity incidents. Instead, interpretive guidance (2011 Staff Guidance and 2018 Interpretive Release) which emphasizes operating companies’ obligations to disclose cybersecurity incidents and how existing disclosure rules can apply to cybersecurity incidents.
Despite this guidance, the SEC noticed that some cyber incidents were being reported to the media but were not being disclosed in the company's filings to the SEC. For companies that were disclosing cybersecurity incidents, the SEC found that the information provided in the disclosures varied widely in the level of details disclosed. Another observation noted that among companies that disclosed cyber incidents, many blended their disclosures with others making it difficult to find, interpret, and analyze the information provided as it related to cybersecurity.
The proposed rule change will clearly define what information needs to be disclosed and ensure that these disclosures are consistent, comparable, and useful for making decisions when assessing a company's cybersecurity risk posture.
The rule proposes the following changes:
1. Amend Form 8-K to add Item 1.05 to require registrants to disclose a material cybersecuirty incident within 4 business days
2. Amend Forms 10-Q and 10-K to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, as specified in proposed Item 106(d) of Regulation S-K.
3. Amend Form 10-K to require disclosure specified in proposed Item 106 regarding:
a. A registrant’s policies and procedures, if any, for identifying and managing cybersecurity risks
b. A registrant’s cybersecurity governance, including the board of directors' oversight role regarding cybersecurity risks; and
c. Management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.
4. Amend Item 407 of Regulation S-K to require disclosure about any member of the registrant’s board of directors that has cybersecurity expertise.
5. Amend Form 20-F to require foreign private issuers (“FPIs”) to provide cybersecurity disclosures in their annual reports filed on that form that are consistent with the disclosure proposed in the domestic forms
6. Amend Form 6-K to add “cybersecurity incidents” as a reporting topic
7. Require that the proposed disclosures be provided in Inline XBRL
While the rule discusses disclosure requirements for cybersecurity incidents, some implications can be inferred.
• Documented Cybersecurity Program. Having to disclose policies, procedures, and processes implies they exist. If they do not exist, it would be in the company’s best interest to implement them. The lack of policies and procedures can certainly be a factor a potential investor will consider.
• Robust Monitoring Infrastructure. Disclosing a cybersecurity incident requires the ability to detect that an incident occurred in the first place. To detect incidents in a timely manner a company would need to have an effective monitoring infrastructure.
• Established Risk Management Program. To determine that an incident is material implies that the company has classified its assets and knows what the impact would be should an asset be involved in a cybersecurity incident. The ability to make this determination is an outcome of an established risk management program.
• Cybersecurity Expertise. The proposed rule change refers to disclosures concerning the Board’s and management’s level of cybersecurity expertise. This will require the retaining of internal or outsource expertise in cybersecurity.
Count on Friedman LLP and CyZen (Powered by Friedman)
Your Friedman LLP advisor will keep you updated on the status of this proposed rule change. Your advisor will also partner with Friedman CyZen professionals for guidance on how best to satisfy cybersecurity requirements implied by the rule change.