SEC Proposes New Requirements for Cybersecurity Disclosures
On March 9, 2022, the SEC issued a proposed rule1 that would require registrants to provide enhanced disclosures about “cybersecurity incidents and cybersecurity risk management, strategy, and governance.” The proposed rule addresses concerns related to the pervasive use of digital technologies, shift to hybrid work environments, rise in the use of cryptoassets, and increase in illicit profits from ransomware and stolen data, which continue to escalate cybersecurity risk and its related cost to registrants and investors.
Cyberattacks can vary widely from company to company. They can include the theft of a company’s (or its customers’ or vendors’) financial assets, intellectual property, or sensitive information; the disruption of a company’s operations; or the targeting of companies that operate in industries responsible for critical infrastructure and national security, such as the energy and public utility industries. Costs and consequences of a cybersecurity incident may include remediation expenses, lost revenues, litigation, increased insurance premiums, reputational damage, and erosion of shareholder value. Of the nearly 600 C-suite executives surveyed in Deloitte’s 2021 Future of Cyber Survey,2 more than 72 percent indicated that their organizations had experienced between one and ten cyber incidents or breaches in 2020 alone.
In 2011 and 2018, the SEC issued interpretive guidance3 that did not create any new disclosure obligations but rather presented the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents.4 The interpretive guidance discussed the impact of cybersecurity risks and incidents on disclosure requirements for risk factors, MD&A, and the financial statements and expanded the SEC’s interpretive guidance on cybersecurity policies and controls, most notably those related to cybersecurity escalation procedures and the application of insider trading prohibitions. Further, it addressed the importance of avoiding selective disclosure as well as considering the role of the board of directors in risk oversight. See Deloitte’s February 23, 2018, Heads Up for more details about the interpretive guidance.
By contrast, the proposed rule would establish new requirements related to:
Material cybersecurity incidents, which would need to be disclosed on Form 8-K within four business days.
Disclosures in Forms 10-Q and 10-K about cybersecurity incidents previously reported on Form 8-K.
Disclosures in Form 10-K about (1) cybersecurity monitoring and risk management policies and procedures, (2) management’s role in implementing those policies and procedures, and (3) cybersecurity governance, including oversight by the board of directors.
The presentation of disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
All types of periodic SEC filers would be affected by the proposed rule, including domestic registrants, foreign private issuers,5 smaller reporting companies, and emerging growth companies.
Initial Reporting of Material Cybersecurity Incidents
The proposed rule defines a cybersecurity incident as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” In addition, the proposed rule broadly defines "information systems" to encompass resources owned or used by the registrant (e.g., cloud-based or hosted systems). A cybersecurity incident could occur accidentally or as a result of a deliberate attack. The proposal would amend Form 8-K to add Item 1.05, which would require a registrant to file a Form 8-K to disclose a material cybersecurity incident within four business days from the date on which the registrant determines that the incident is considered material (rather than from the incident’s date of occurrence or discovery).
Connecting the Dots
Although the proposed rule includes examples of cybersecurity incidents, registrants will need to use judgment to determine whether their information systems have been jeopardized. Such judgment will vary on the basis of factors such as the complexity of a registrant’s information, the importance of the information to its operations, and the nature and extent of the information residing within its systems.
Under Form 8-K as amended, a registrant would disclose the following information about the cybersecurity incident if known at the time of the filing:
When the incident was discovered and whether it is ongoing;
A brief description of the nature and scope of the incident;
Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
The effect of the incident on the registrant’s operations; and
Whether the registrant has remediated or is currently remediating the incident.
Further, a registrant should determine the materiality6 of an incident as soon as reasonably practicable after the incident’s discovery, which may in some cases be on the same date as the incident. The materiality assessment should be objective and take into account the total mix of information, including both quantitative and qualitative factors such as, but not limited to, the probability of an adverse outcome and the potential significance of the loss.
Connecting the Dots
In its 2018 interpretive guidance, the SEC observed that a registrant’s materiality determination related to cybersecurity risks and incidents depends on the nature, extent, and potential magnitude of such risks as well as the harm that cybersecurity incidents could cause. The SEC noted that “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” In some circumstances, it may be particularly challenging for a registrant to determine the materiality of a cyber incident. For example, if the registrant uses but does not own third-party resources, it may be difficult for the registrant to obtain the information it needs to make a materiality determination related to an incident involving such resources.
Under the proposal, a registrant would not be required to include a level of detail in its disclosures that could affect its incident response or remediation or reveal potential system vulnerabilities. Further, the SEC acknowledged that it is not uncommon for registrants to be involved in ongoing investigations related to an internal or external cybersecurity incident and that delaying the reporting of an incident may facilitate such investigations. However, the SEC reiterated its view expressed in the 2018 interpretive guidance that the potential benefits of delaying the reporting of such cases do not outweigh a registrant’s obligation to provide investors with timely information.
Connecting the Dots
To maintain eligibility to use Form S-3 or Form SF-3, registrants are required to be “timely filers”; that is, they must file Forms 8-K, 10-Q, and 10-K by their respective due dates. However, the proposed rule excludes from the scope of this requirement the failure to file a Form 8-K on a timely basis as a result of a material cybersecurity incident (i.e., the failure to file a Form 8-K on time related to a material cybersecurity incident may not affect a registrant’s Form S-3 or Form SF-3 eligibility).
Requirements in Periodic Reports
The proposed rule would amend Forms 10-Q and 10-K to require a registrant to update its disclosures related to material changes, additions, or revisions to previously identified and disclosed material cybersecurity incidents. Such an update would include a description of (1) any known or potential future material impacts of an incident on the registrant’s operations or status of remediation efforts or (2) how the incident contributed to subsequent changes in the registrant’s policies and procedures.
Connecting the Dots
While the proposed rule would allow registrants to update cybersecurity incident disclosures in the Form 10-K or Form 10-Q, there may be situations in which they would consider filing an amended Form 8-K because their prior disclosures have become inaccurate or misleading as a result of subsequent developments (e.g., if the incident is later found to be more serious than previously disclosed).
Further, a registrant would be required to disclose incidents that it had previously determined to be immaterial but, when considered with other immaterial incidents, are material in the aggregate. Such disclosure would need to be made in the first periodic report after the aggregate materiality determination. The proposed rule provides an example in which one malicious external actor’s multiple small attacks over time could be material when aggregated. However, such incidents could be performed by multiple external actors or occur internally or accidently. Under the proposal, disclosures should specify when the incidents were discovered, whether they are continuing, their nature, whether data was stolen or altered, the effect on operations, and the status of remediation.
Connecting the Dots
Since the definition of a cybersecurity incident refers to “any information” residing in a registrant’s information systems, the proposed rule could affect unlimited amounts of data over an indefinite period. Thus, if the proposed rule is adopted as currently drafted, a registrant may need to consider establishing policies and procedures for, among other things, (1) inventorying immaterial incidents, (2) updating the inventoried incidents as changes occur, (3) continually updating its assessment of the aggregate materiality of such incidents, and (4) retaining any information necessary to provide disclosures in case they are ultimately required. Registrants may want to consider whether their current cybersecurity monitoring infrastructure is designed to accommodate this type of assessment and reporting.
Risk Management and Strategy
The proposed rule would require a registrant to include in Form 10-K a comprehensive disclosure of its cybersecurity policies and procedures that “identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.” Accordingly, a registrant may be required to disclose items such as (1) whether it has a cyber risk program and, if so, a description of it; (2) whether it engages third parties to assist with such a program; (3) its policies and procedures for identifying third-party service provider risks; (4 ) its actions to prevent and detect or otherwise mitigate the effects of incidents; (5) its business continuity and contingency plans; (6) whether prior incidents have contributed to changes in the organization; (7) the effect that incidents have had or are reasonably likely to have on its results of operations or financial condition; and (8) whether or how cybersecurity risks affect its business strategy, financial planning, or capital allocation.
Connecting the Dots
Registrants generally have not been required to comprehensively disclose their internal policies and procedures unless, for example, there is a material weakness in their internal control over financial reporting (ICFR). In such cases, they may often disclose the nature of the design or operating deficiency that gave rise to the material weakness, their remediation plans, and any changes in ICFR, but they would not be required to provide a detailed description of the controls themselves. Under the proposed rule, registrants may need to consider how they describe their policies and procedures to avoid giving bad actors a “road map” to potential vulnerabilities in them or in associated information systems.
The SEC notes in the proposed rule that disclosing cybersecurity risk governance from the perspective of management and the board of directors allows investors to understand how management allocates capital and prepares for cybersecurity incidents.
Disclosure of the Board’s Roles and Responsibilities
Under the proposal, registrants would be required, as applicable, to provide specific disclosures about the oversight of cybersecurity risk by the company’s board of directors. Such disclosures would include:
Whether the entire board or only certain board members or committees are responsible for cybersecurity risk oversight.
How the board is informed about cybersecurity risks and how frequently cybersecurity risks are discussed.
Whether or how the board evaluates cybersecurity risks as part of its risk management, business strategy, and financial oversight.
The name of every board member who has expertise in cybersecurity (if any) along with a description of such expertise.
Connecting the Dots
The proposed rule’s requirements related to identifying a cybersecurity expert may be viewed as similar to those associated with identifying an “audit committee financial expert” under the Sarbanes-Oxley Act7 since both provide a list of attributes to be considered and both require the expert to be named. However, the proposed rule would require registrants to describe the cybersecurity expert’s expertise, including the individual’s knowledge, skills, and background in cybersecurity.8 Such disclosure is generally not required for an audit committee financial expert.
Disclosure of Management’s Responsibilities
Under the proposal, registrants would have to disclose information about management’s responsibilities related to assessing and managing cybersecurity risks and executing the company’s cybersecurity policies, procedures, and strategies, including:
Whether particular management or committee personnel are responsible for preventing, detecting, mitigating, or remediating cybersecurity incidents, along with their pertinent expertise and method of sharing information with management or committees.
Whether the company has a designated chief information security officer (or similar position) and, if so, (1) a description of the individual’s relevant expertise and (2) the person to whom he or she reports within the company.
Whether and, if so, how frequently management or committees share cybersecurity risk information with the board.
Connecting the Dots
Given the current demand for qualified talent, companies may have difficulty identifying or hiring board or management personnel with the appropriate level of cybersecurity expertise. In addition to the proposal’s guidance related to disclosures about expertise, registrants seeking to identify experts with the right skills and experience may want to consider the discussion related to the evolving complexity of cyber risk in Deloitte’s 2021 Future of Cyber Survey.
The SEC is interested in feedback on the proposed rules from market participants and does not require a specific format for the submission of comments. Some commenters may choose to present their views in a narrative format without any reference to specific questions posed by the SEC, and others may choose to answer all, or only some, of the specific requests for comment. Any format is acceptable, and the SEC encourages all types of feedback. Comments on the proposed rule are due 30 days after its publication in the Federal Register or May 9, 2022, whichever is later.
In addition to those discussed previously, resources such as the following may help companies assess their approach to cyber risk, governance, and related disclosures:
Deloitte’s What’s on the Horizon for 2022?, which highlights five areas of focus for audit committees, including cyber risk oversight.
Deloitte’s and the Center for Audit Quality’s jointly published Common Threads Across Audit Committees, which provides survey results related to cybersecurity and data privacy security, identifies activities by audit committees to address increased complexity in their core responsibilities, and explores leading practices.
The Center for Audit Quality’s The Role of Auditors in Company-Prepared Cybersecurity Information: Present and Future, which (1) discusses the role of auditors with respect to cybersecurity and the audited financial statements and how such role could expand to better meet the needs of stakeholders and (2) provides questions for consideration by board members in their discussions with management and auditors.
SEC Proposed Rule Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Note that in addition to the proposed rule discussed in this Heads Up, the SEC in February 2022 issued a proposed rule on cybersecurity risk management and incident reporting for registered investment advisers and funds.
The survey, which was conducted by both Deloitte and Wakefield Research, polled executives from companies with at least $500 million in annual revenue between June 6 and August 24, 2021.
CF Disclosure Guidance Topic No. 2, “Cybersecurity,” and SEC Interpretive Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.
The SEC also issued an investigative report on October 16, 2018, in which it cautioned companies to consider cyber threats when they are implementing their internal accounting controls. See Deloitte’s October 30, 2018, Heads Up for more information.
The proposed rules would amend Forms 20-F and 6-K to require foreign private issuers to provide disclosures that are generally consistent with those discussed herein for domestic registrants.
The proposed rule indicates that the definition of “materiality” is consistent with that established by the U.S. Supreme Court in multiple cases, including TSC Industries, Inc. v. Northway, Inc. (426 U.S. 438, 449 (1976)), Basic Inc. v. Levinson (485 U.S. 224, 232 (1988)), and Matrixx Initiatives, Inc. v. Siracusano (563 U.S. 27 (2011)). Thus, a cybersecurity incident is considered material if (1) “ ‘there is a substantial likelihood that a reasonable shareholder would consider [the information] important’ ” in making an investment decision or (2) disclosure of the information would have been viewed by the reasonable investor as having “significantly altered the ‘total mix’ of information made available.”
See SEC Rule Release No. 33-8177, Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002.
For example, it would require registrants to disclose whether the director has a background in “areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.”