Proposed Disclosure of Cybersecurity Events
Thu 10 Mar, 2022 / by C. Dirk Peterson / Client Alerts
Over the past decade, the Securities and Exchange Commission (“SEC”) and its staff have addressed cybersecurity threats and their escalating risk to commerce. Routinely cited as an examination priority, the SEC has now proposed standardized disclosure requirements of material cybersecurity events and cybersecurity protocols for public-reporting companies [Securities Exchange Act Release No. 94382 (March 9, 2022)]. The proposal is expected to provide the public timely reporting and standardized disclosure of the risks of cybersecurity threats and information about corporate governance involving cybersecurity matters.
The SEC’s proposal applies to public companies that are required to make annual and periodic reports pursuant to the Securities Exchange Act of 1934. The requirements, if adopted, would apply to public operating companies, public holding companies of operating and financial services companies, registered investment companies, and foreign private issuers that file public reports with the SEC. The following filing documents and regulations are subject to the SEC’s proposal: (1) Form 8-K, (2) Form 10Q, (3) Form 10-K, (4) Form 20F, and (5) Regulations S-K and 6-K.
- Forms 8-K and 6-K
The SEC proposes to amend Form 8-K to require incident reporting within four business days of determining the materiality of any “unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein,” a “cybersecurity incident.”
The proposal is limited to disclosure of “material” events, which for these purposes applies if a reasonable investor would find the cybersecurity event important to an investment decision or whether the existence of the event would significantly alter the mix of available information. Materiality is determined in the aggregate, meaning that the determination applies collectively to multiple incidental events that, in isolation, may not be material. The proposal would require disclosure of specifics about the nature of the event, the time of discovery, the extent to which the event is ongoing, the event’s effect on any data and/or operations, and the extent of remediation.
The proposal would make parallel amendments to require foreign private issuers, not expressly subject to reporting on Form 8-K, to similarly report material cybersecurity events on Form 6-K.
- Forms 10-Q, 10-K, and 20-F
The proposed amendments would impose updating of material cybersecurity events previously disclosed in Form 8-K on Form 10-Q and Form 10-K periodic reports. Similar updating applies to foreign private issuers filing Form 20-F with the SEC.
- Corporate Governance Disclosure
The SEC proposes to amend Regulation S-K to require the disclosure of cybersecurity risk management policies, business strategies, board oversight, and board cybersecurity expertise. The disclosure would apply to policies, if any, that address cybersecurity threats to operations, theft of intellectual property, fraud, extortion, harm to customers and employees, violations of privacy laws, litigation, and reputational risk, and would extend to the diligence of third-party service providers that may themselves have cybersecurity issues.
REQUEST FOR COMMENT
The SEC published its disclosure proposal on March 9th and requested comment generally and on specific matters raised in the proposing release. The SEC’s proposing release has not yet been published in the Federal Register, although comments are due within 30 days of the Federal Register publication date. McIntyre & Lemon advises clients on SEC and other regulatory matters, including assisting clients in commenting on proposals relevant to their operations. For information about this proposal or other regulatory matters, contact C. Dirk Peterson at email@example.com or phone him at (202) 659-3905