In remarks in January before the Northwestern Pritzker School of Law's Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. (See this PubCo post.) Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. In addition, he said, it's a national security issue. Gensler reminded us that "cybersecurity is a team sport," and that the private sector is often on the front lines. (As reported by the NYT, that has been especially true in recent weeks, where "the war in Ukraine is stress-testing the system.") And today, according to Corp Fin Director Renee Jones, in light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, that's more true than ever, with escalating cybersecurity risk affecting just about all reporting companies. Given the recent consternation over hacks and ransomware, as well as the rising potential for cyberattacks worldwide, it should come as no surprise that the SEC voted today, by a vote of three to one, to propose regulations "to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies." While threats have increased in number and complexity, Jones said, currently, company disclosure is not always decision-useful and is often inconsistent, not timely and hard for investors to find. What's more, some material incidents may not be reported at all. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, "[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs....Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks....I am pleased to support this proposal because, if adopted, it would strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting." The public comment period will be open for 60 days following publication of the proposing release on the SEC's website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
As described in the fact sheet the proposal would:
- "Require current reporting about material cybersecurity incidents on Form 8-K;
- Require periodic disclosures regarding, among other things:
- A registrant's policies and procedures to identify and manage cybersecurity risks;
- Management's role in implementing cybersecurity policies and procedures;
- Board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents; and
- Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL)."
Here are the rule proposal and the press release. I plan to publish an update to this post with more detail about the rule proposal at a later time, so stay tuned.
Of course, the SEC's concerns about cybersecurity disclosure are not new. In 2018, the SEC adopted long-awaited guidance on cybersecurity disclosure. The guidance addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The guidance built on Corp Fin's 2011 guidance on this topic (see this Cooley News Brief), adding, in particular, new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. (See this PubCo post.) Moreover, although there were improvements in disclosure following release of the guidance, concern has been mounting that company responses to that guidance have been inconsistent, not comparable and not decision-useful. The proposed amendments are intended to "better inform investors" about public companies' "risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. Consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants' exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents."
The SEC's proposal
Incident reporting
As described in the fact sheet, the proposal would "amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident." Similarly, the proposal would amend Form 6-K to add "cybersecurity incidents" as a reporting topic. At the meeting, Commissioner Allison Herren Lee raised the issue here of whether a company's determination of materiality was really the right trigger for commencement of the four-day timeframe or whether it might not be preferable to start the clock at the date of discovery or some other more defined time to mitigate the risk of a lengthy materiality determination. She also asked whether there was an adequate definition of a "material cybersecurity incident." On the other side, Commissioner Hester Peirce viewed the incident reporting provision as "properly rooted in materiality," and constructed to "afford companies the necessary flexibility to get their arms around the magnitude of a cybersecurity incident before the four-day disclosure clock begins to run."
Under the proposal, a new Item 106(d) would be added to Reg S-K (and Item 16J(d) of Form 20-F) to require companies to update their disclosures about prior reported cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
Periodic disclosure regarding risk management, strategy and governance
In addition, the proposal would require "enhanced and standardized disclosure" regarding companies' "cybersecurity risk management, strategy, and governance." The proposal would add two new disclosure provisions. First, the proposal would add Item 106 to Reg S-K (and Item 16J of Form 20-F) to require companies to describe their policies and procedures for identifying and managing risks related to cybersecurity threats, including whether, and if so, how, the company takes into account cybersecurity risks as part of the its business strategy, financial planning and capital allocation. Item 106 would also require disclosure about the company's cybersecurity governance, including board oversight of cybersecurity risk (such as whether and how the board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight) and how the board is informed about cybersecurity risk; and management's role in assessing and managing cybersecurity risk and in implementing the company's cybersecurity policies, procedures and strategies, including management's expertise in the "prevention, mitigation, detection, and remediation of cybersecurity incidents."
Second, the proposal would amend Item 407 of Reg S-K (and Form 20-F ) to require disclosure regarding the cybersecurity expertise of any board members. The disclosure would be required in annual reports and proxy statements for the election of directors.
SideBar
There are a number of bills pending in Congress relating to cybersecurity. One of them, S. 808, the Cybersecurity Disclosure Act of 2021, was introduced by Senator Jack Reed, and would direct the SEC to require each public reporting company to disclose in its 10-K or proxy statement whether any of its directors has expertise or experience (to be defined by the SEC) in cybersecurity and to describe the nature of the expertise. If not, then the issuer must "describe what other aspects of the reporting company's cybersecurity were taken into account by any person, such as an official serving on a nominating committee, that is responsible for identifying and evaluating nominees for membership to the governing body."
At the open meeting
Peirce dissented. In her statement, Peirce contended that the proposal exceeded the SEC's limited role, "flirt[ing] with casting us as the nation's cybersecurity command center, a role Congress did not give us." In her view, the proposal goes beyond regulating companies' disclosures. Rather, while the proposed rules are
"couched in standard disclosure language, guides companies in substantive, if somewhat subtle, ways. First, the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies. First, the proposal requires issuers to disclose the name of any board member who has cybersecurity expertise and as much detail as necessary to fully describe the nature of the expertise. Second, the proposal requires issuers to disclose whether they have a chief information security officer, her relevant expertise, and where she fits in the organizational chart. Third, the proposal requires granular disclosures about the interactions of management and the board of directors on cybersecurity, including the frequency with which the board considers the topic and the frequency with which the relevant experts from the board and management discuss the topic."
To Peirce, these prescriptive disclosure rules resemble "a list of expectations about what issuers' cybersecurity programs should look like and how they should operate." (Of course, this type of disclosure requirement is not a new invention and was described by the late Marty Dunn as "regulation by humiliation" back when he was at the SEC.) Although SOX required disclosure regarding audit committee expertise, Peirce said, that was mandated by Congress and was at least "directly related to the reliability of the financial statements at the heart of our disclosure system." This proposal goes beyond that by "requiring detailed disclosure about discrete subject matter expertise of directors and employees who are not necessarily executive officers or significant employees, and about the frequency of interactions between the board and management on a specific topic. While the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how, and when to do so should be left to business—not SEC—judgment."
She also viewed the proposed requirement to disclose cybersecurity policies and procedures as, again, more than a disclosure requirement, but instead an attempt to "pressure companies to consider adapting their existing policies and procedures to conform to the Commission's preferred approach, embodied in eight specific disclosure items." These detailed disclosure obligations, she contended, "will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies." But, in Peirce's view, that is a subject "best left to the company's management to figure out in view of its specific challenges, subject to the checks and balances provided by the board of directors and shareholders."
While she thought the incident reporting provisions might be unnecessary in light of existing guidance, she at least considered the proposed rules to be "sensible guideposts for companies to follow in reporting material cybersecurity incidents." However, she was concerned that proposal was "unduly dismissive of the need to cooperate with, and sometimes defer to, our partners across the federal government and state government," identifying, for example, the absence of the availability of temporary relief in the event that law enforcement agencies believed that a delay in disclosure would facilitate recovery of stolen funds or detection of perps.
In his statement, Gensler described the proposed rulemaking as part of a natural progression of disclosure requirements in response to evolving risks:
"We've been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis. Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks."
All of this data that companies and others collect, he adlibbed, was akin to a "honey pot" for malefactors, and, as a result, cybersecurity incidents "happen a lot. They can have significant financial, operational, legal, and reputational impacts on public issuers." Although many companies already provide some cybersecurity disclosure, Gensler believes that this disclosure would benefit both companies and investors "if this information were required in a consistent, comparable, and decision-useful manner."
Lee, whose statement, as of this writing, has not yet been posted (so my notes will have to do), began by highlighting our increased reliance on digital technology—as evidenced by the open meeting held virtually today. Along with that growth has come an increase in prevalence of cyberattacks. These attacks, she said, have not just compromised personal information or disrupted individual business, but they also have the potential to create market-wide instability. Since the issuance of prior guidance, these risks have increased, along with concerns about under-reporting—inadequate and untimely disclosure that is short on detail. The proposed rules are intended to address these issues.
Commissioner Caroline Crenshaw observed that CEOs "have identified cybersecurity as the number one threat to business growth in the coming years. Experts have provided Congressional testimony that cyber threats are among the most significant strategic risks to our national security, economic prosperity, and public health and safety....Further, the sophistication and frequency of cyberattacks have increased. And that increase has imposed corresponding economic harms and increased expenses on companies, and their investors." She viewed the proposal as "an important step forward in addressing this growing and ever-present risk."
SideBar
Timely cybersecurity disclosure—or rather the absence thereof—has been a frequent subject of litigation recently. In June 2021, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures "related to a cybersecurity vulnerability that exposed sensitive customer information." According to the SEC's order, in May 2019, the company was advised by a journalist that its "EaglePro" application for sharing document images had a vulnerability that exposed "over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information." That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC. However, as it turns out, the company's information security personnel had already identified the vulnerability in a report of a manual test of the EaglePro application about five months earlier, but failed to remediate it in accordance with the company's policies. Importantly, for purposes of this case, they also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been "relevant to their assessment of the company's disclosure response to the vulnerability and the magnitude of the resulting risk." The company was found to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars. (See this PubCo post.)
Then, in August, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. In this instance, it wasn't just a vulnerability—there was an actual known breach and exfiltration of private data. As described in the SEC's Order, in September 2018, Pearson was advised by one of its software manufacturers of a critical vulnerability in its software and notified of the availability of a patch to fix it. Pearson, however, failed to implement the patch. In March 2019, the company learned that a "sophisticated threat actor" used the unpatched vulnerability to access and download millions of rows of data. After the breach, Pearson implemented the patch and engaged a consultant to conduct an investigation, but "decided that it was not necessary to issue a public statement regarding the incident." Instead, Pearson mailed a notice to its customer accounts and prepared a media statement to have ready in case of media inquiry. Nor did Pearson disclose the breach in its Form 6-K risk factors, instead leaving its previous cybersecurity risk factor—which described the risk as purely hypothetical—unchanged. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. (See this PubCo post.)
And speaking of hypothetical, SCOTUS has just declined to hear the appeal of the defendants in a case brought by the State of Rhode Island, as lead plaintiff, against Google LLC, its holding company Alphabet, Inc., and certain executives, alleging that the defendants failed to timely disclose certain cybersecurity defects and vulnerabilities. The district court had granted defendants' motion to dismiss the complaint, but on appeal, a three-judge panel of the 9th Circuit reversed in part, holding that the complaint "plausibly alleged" that the decision to omit information about these cybersecurity vulnerabilities "significantly altered the total mix of information available for decision-making by a reasonable investor" and that scienter—intent to deceive, manipulate or defraud—was adequately alleged. Importantly, the 9th Circuit held that the complaint contained a plausible allegation that the omission was materially misleading: its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged, the "hypothetical" events had in fact already come to fruition. (See this PubCo post.)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.