The Securities and Exchange Commission has released proposed rules to standardize disclosures regarding cybersecurity risk management and incident reporting by public companies.
The March 9 proposed rules for public companies come exactly a month after the SEC proposed new rules to address concerns about the cybersecurity preparedness of registered investment advisers and funds by requiring reporting of incidents, as well as implementing new recordkeeping and disclosure requirements.
Similarly, the new public company proposal—approved on a short-handed, 3-to-1 vote, with Republican Commissioner Hester Peirce as the lone dissenter—would require within four days reporting about material cybersecurity incidents on Form 8-K. It also would require periodic disclosures regarding, among other things:
- a registrant’s policies and procedures to identify and manage cybersecurity risks;
- management’s role in implementing cybersecurity policies and procedures;
- board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- updates about previously reported material cybersecurity incidents.
In 2018, the Commission issued interpretive guidance to reinforce and expand upon staff guidance issued in 2011. While registrants’ disclosures of both material cybersecurity incidents and cybersecurity risk management and governance have improved since then, disclosure practices are inconsistent, the SEC notes.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” said SEC Chair Gary Gensler. And while noting that a lot of issuers already disclose information to investors, Gensler said he believes that companies and investors would benefit if this information were required in a consistent manner. “I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” he added.
Incident Disclosure
With respect to disclosing incidents on Form 8-K, registrants would be required to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. The term “cybersecurity incident” is generally described as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Regulation S-K and Form 20-F would also be amended to require registrants to provide updated disclosures relating to previously disclosed cybersecurity incidents and to require disclosure—to the extent known—when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
A comment period will remain open for 60 days following publication of the proposed rule in the Federal Register.
Peirce’s Objections
In a dissenting statement, Peirce suggested that the governance disclosure requirements appear to micromanage the composition and functioning of both the boards of directors and management of public companies. “We have an important role to play in ensuring that investors get the information they need to understand issuers’ cybersecurity risks if they are material,” she said. “This proposal, however, flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”
Peirce noted that the reporting of cybersecurity incidents is the proposal’s bright spot, but added that she’s not convinced the rules are necessary in light of the Commission’s 2018 guidance. As such, she voiced concern about the timeline of the reporting requirements with respect to the potential need to cooperate with other federal agencies and state governments.
“For example, if delaying disclosure about a material cybersecurity incident could increase the chances of recovery of stolen funds or the detection of the wrongdoers in the expert opinion of law enforcement agencies, we should consider whether temporary relief from our disclosure requirements would best protect investors,” Peirce emphasized.
