The Securities and Exchange Commission will, at long last, vote next Wednesday on new rules that would require companies to make expansive new disclosures about their cybersecurity risks and the cyber incidents they suffer.
The SEC originally proposed the rules in March 2022 — and they have been a sleeper issue in SEC rulemaking while everyone has been preoccupied with the agency’s proposed rule on disclosure of greenhouse gas emissions. That GHG proposal is still lost in regulatory limbo, but the cybersecurity proposal will now see a vote next Wednesday at 10 a.m. ET.
The required disclosures would fall into two basic categories. First, companies would need to disclose their broader cybersecurity risk profile in annual reports, reviewing:
- The company’s policies and procedures to identify and manage cybersecurity risks; Management’s role in implementing cybersecurity policies and procedures;
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents.
Second, and more controversial, companies would also need to file a Form 8-K disclosure with the SEC within four days of determining that a “material cyber incident” had occurred (say, a ransomware attack), describing the nature and severity of the event.
That four-day window would start on the day that the company decides the incident is material; not four days from when the incident itself actually happened. When the company does decide it has a material event to disclose, the proposal listed five items it would expect that disclosure to include:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
Another interesting point: the original proposal also said companies would need to file the cybersecurity disclosure regardless of how law enforcement might be investigating the case. That’s quite interesting, since under certain circumstances law enforcement might prefer that a company keep quiet about an attack — say, a ransomware attack, where law enforcement is still working with you to claw back a ransom payment you made.
The proposed rules had this to say about that scenario:
We recognize that a delay in reporting may facilitate law enforcement investigations aimed at apprehending the perpetrators of the cybersecurity incident and preventing future cybersecurity incidents. On balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.
Ummm, wow. That language would probably leave most general counsels and head of corporate security breathing into a paper bag. Did it survive into the final rule coming up for a vote next week? We’ll find out.
We also have questions about how companies would determine materiality — especially qualitative materiality, where cyber incidents might not result in much damage or cost, but the nature of the incident might suggest that the company’s existing cybersecurity is a bunch of feckless hooey.
And let’s not forget, even questions of plain old quantitative materiality could still bring new pressures upon companies too; a nasty ransomware attack that Hanesbrands suffered last year is especially informative here.
Anyway, the vote is next week. Radical Compliance will follow it closely.