On March 9, 2022, the U.S. Securities and Exchange Commission proposed its first rules on companies’ disclosure obligations related to cybersecurity. In the SEC’s words, the proposed rules “are intended to better inform investors about a [company’s] risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.” Together with the SEC’s proposed climate risk disclosure rules and expected rules on human capital management, the SEC has put forward one of the most significant expansions and modernizations of US public companies’ disclosure obligations in decades.

We encourage all interested clients to review the proposed rules and consider commenting on them. Comments are due by May 9, 2022.

Background

The growing importance of cybersecurity is widely recognized. As the SEC puts it, “[i]n today’s digitally connected world, cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants.” The costs of responding to cybersecurity incidents is also growing. These costs include not just the business interruption and other direct consequences of a hack or accidental exposure of data (potentially including ransom, remediation, reputational damage and litigation costs), but also costs for preventive measures, such as protective technology and employee training.

Over the last decade, the SEC has issued guidance to companies on several occasions reminding them of their disclosure obligations related to cybersecurity risks and incidents. In light of the growing importance of this issue and inconsistency in disclosure practices under the guidance, the SEC has now determined to propose rules that would expand and enhance the timeliness and uniformity of companies’ disclosures on these issues.

The Proposed Rules

The proposed rules address both cybersecurity incidents and companies’ risk management practices and governance.

Cybersecurity Incident Reporting

The proposed rules would require current reporting of material cybersecurity incidents. Using Form 8-K, companies would have to disclose information about material cybersecurity incidents within four business days of determining that such an incident occurred. For each incident, companies would have to explain:

  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the company’s operations; and
  • Whether the company has remediated or is currently remediating the incident.

Companies would also have to provide updated disclosure concerning these incidents in their periodic reports (Forms 10-Q and 10-K). The SEC also proposes to require that companies disclose when “a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.”

Risk Management Policies and Governance

In their annual reports, companies would have to describe their policies and procedures, if any, for identifying and managing cybersecurity risks, including whether they consider cybersecurity risks as part of their business strategy, financial planning, and capital allocation.

Companies would also have to make three types of disclosures concerning their governance of cybersecurity risks:

  • Disclosure about the board’s oversight role regarding cybersecurity risks, including whether the entire board or a board committee is responsible for the oversight of these risks and how frequently the board discusses them;
  • Disclosure – in both companies’ annual reports and proxy statements – of whether any member of the board has expertise in cybersecurity, and if so, the name of all such directors and the nature of their expertise; and
  • Disclosure of management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.

The rules would generally apply to all SEC reporting companies, whether based in the United States or not, and whatever their size. The new disclosures would be made in the XBRL reporting format.

Takeaways

In our view, the proposed rules are a timely and important update to companies’ disclosure obligations. As the risks and consequences of these incidents rise, companies and their boards have become increasingly focused on cybersecurity risk management. Likewise, as the SEC notes, institutional investors increasingly identify companies’ cybersecurity risk management, strategy, and governance practices as one of the most significant ESG issues they are concerned about. The proposed rules would reflect this reality and provide investors with better information about cyber incidents and companies’ cybersecurity governance and risk management practices.

As the SEC recognizes, investors need these new disclosures to “better inform their investment and voting decisions.” At Glass Lewis, we have also seen a significant uptick in our clients’ interest in ratings, data, and insights on companies’ cybersecurity practices. For this reason, Glass Lewis has partnered with BitSight, a pioneer and leader in security ratings, to include a snapshot of companies’ cybersecurity risks and practices within our Proxy Paper research reports. Leveraging the cybersecurity expertise of BitSight, Glass Lewis’ clients are now able to understand how cybersecurity issues may impact governance risks.  Like the other ESG analyses and ratings we include with our research, our clients are leveraging the BitSight cybersecurity ratings as general context for their stewardship, including their decision-making process for proxy voting and engagement. By standardizing when material security incidents are disclosed and mandating that companies disclose their risk management practices and governance, the proposed cybersecurity disclosures, if adopted, would significantly enhance the information available to our clients for these purposes.

The SEC is clearly focused on cybersecurity. These proposed new disclosure requirements come on the heels of proposed new cybersecurity requirements for investment advisers and investment companies that the SEC released in February. Those rules would require advisers and funds to adopt and implement written cybersecurity policies and procedures and publicly disclose their cybersecurity risks and any significant incidents. While the SEC has an ambitious regulatory agenda, given its focus on enhancing transparency in this area, we fully expect that they will move forward with adoption of both sets of rules in the not-too-distant future.

That said, we do anticipate comments on the practical effect of some of the proposed disclosures. In particular, we expect companies to raise concerns about the consequences of mandating that material cybersecurity incidents be disclosed within four business days. To be sure, there can be a tension at times between prompt disclosure of cyber incidents and law enforcement objectives. In fact, some state laws permit a delay in public notification when law enforcement determines it would impede its investigation of a hack. As the SEC notes, its guidance addresses this issue by recognizing that, in appropriate circumstances, an ongoing investigation might affect the specifics in the company’s disclosure, rather than the disclosure itself. The SEC also seeks comment on whether delays based on law enforcement determinations should be allowed in certain, narrow circumstances. We believe that the SEC can strike an appropriate balance in these limited circumstances and resolving this issue should not deter it from making these important improvements to companies’ disclosure obligations.

Next Steps

Comments are due by May 9, 2022. We encourage all interested parties to share their views with the SEC.

For more information on how Glass Lewis is partnering with BitSight to enhance its research offerings, please visit Glass Lewis’s BitSight cybersecurity partnership page and watch our webinar on cyber risk and governance.