The Securities and Exchange Commission has proposed new rules that would require all public companies to disclose much more about how they manage cybersecurity risks and to disclose “material cybersecurity incidents” to investors promptly.
The commission voted to propose the new rules on Wednesday morning — and to be clear, these are proposed new rules, not final rules going into force right now. The rules are now open for public comment for 60 days. After that the SEC will vote again to implement final rules, which may or may not resemble the proposal unveiled today.
The proposed disclosure requirements fall into two categories.
First, companies would need to file a Form 8-K disclosure with the SEC within four days of determining that a material cyber incident had occurred (say, a ransomware attack), describing the nature and severity of the event. That four-day window would start on the day that the company decides the incident is material; not four days from when the incident itself actually happened.
Second, companies would need to disclose their broader cybersecurity risk profile in annual reports, reviewing:
- The company’s policies and procedures to identify and manage cybersecurity risks; Management’s role in implementing cybersecurity policies and procedures;
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents.
And for you data geeks out there, all these disclosures would need to be tagged in XBRL, the computer language that allows analysts to find and compare corporate financial data more easily.
“Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors,” SEC chairman Gary Gensler said in a prepared statement. “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
Digging Into Attack Disclosures
OK, more disclosure about cybersecurity sounds like a nice idea, considering how pervasive and potentially damaging cybersecurity risks are these days. For compliance officers, however, the tricky part will be recognizing when a “material” cybersecurity incident has happened? What qualifies as material under the rule proposal?
The text of the proposal is rather vague on that point. The materiality standard for cybersecurity disclosure “would be consistent with that set out in the numerous cases addressing materiality in securities law,” the release says — although that still leaves ample room for interpretation, since existing case law about materiality is (in my opinion, anyway) maddeningly imprecise.
The rule did give advice about materiality:
A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis of a cybersecurity incident … Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material… When a cybersecurity incident occurs, registrants would need to carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information.
Right away, my question is how that “well-reasoned, objective approach” to materiality analysis is supposed to happen in the real world. It will involve the compliance or legal team, trying to apply existing legal standards; and the IT security team, who know the actual facts of the incident. Those two teams will need to have a productive conversation (don’t roll your eyes at me, I’m just the messenger); and you’ll need to be sure that your forensic capabilities and disclosure controls are strong enough to capture all the relevant information you need to make a decision.
Anyway, let’s say you decide you have a material event to report. Exactly what are you supposed to disclose about the attack? The proposal listed five criteria:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
Another interesting point: as the proposal now stands, companies would need to file that cybersecurity disclosure regardless of how law enforcement might be investigating the case. That’s quite interesting, since under certain circumstances law enforcement might prefer that a company keep quiet about an attack — say, a ransomware attack, where law enforcement is still working with you to claw back a ransom payment you made.
Under existing SEC rules, the mere existence of a law enforcement investigation isn’t enough to let a company stay quiet about a material cybersecurity event. The proposed rules go even further, and require disclosure of material events regardless of any ongoing investigation:
We recognize that a delay in reporting may facilitate law enforcement investigations aimed at apprehending the perpetrators of the cybersecurity incident and preventing future cybersecurity incidents. On balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.
I suspect a lot of people will have problems with that requirement, especially since many state laws allow a company to delay disclosure of a privacy breach if law enforcement is working the case. We’ll see whether this idea survives into the final rule.
To no surprise, Republican commissioner Hester Peirce voted against the proposed rules. Her complaint was that these rules will end up forcing companies to engage in specific cybersecurity practices — and while those practices might be wise, it is not the SEC’s job as a securities regulator to impose them.
“Such precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate,” Peirce said in a statement. “While the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how, and when to do so should be left to business — not SEC — judgment.”
Peirce is not wrong to raise the point. The best solution would be for a dedicated cybersecurity agency such as CISA to issue clear rules, which could then apply to all businesses rather than just publicly traded companies. The political reality, however, is that the business community would flip out if CISA tried to enforce cybersecurity rules across a wide swath of industry. So is SEC action better than nothing? You tell me.
On the other side are people like Democratic commissioner Caroline Crenshaw, who has spoken about the importance of cybersecurity multiple times during her tenure. She saw the issue as more about investor protection, and the duty companies have to be clear with investors about the steps they’re taking to keep cybersecurity risks in check.
“The sophistication and frequency of cyberattacks have increased, and that increase has imposed corresponding economic harms and increased expenses on companies and their investors,” Crenshaw said in her statement. Plus, she noted, the SEC already had cybersecurity disclosure rules in the books for years. “Despite this prior action,” she continued, “disclosures relating to cyber-security incidents are inconsistent in level of detail, time of disclosure, and placement. In other words, the ‘who, what, when, and where’ is often inconsistent and unreliable.”
Well, you have 60 days to speak your piece about which commissioner has the better point. Start typing.