KMK Law Corporate & Securities Blog

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed amendments to rules to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed rules respond to investor concerns related to the growing prevalence of cybersecurity incidents, the increasingly sophisticated methods of cyber criminals in executing their attacks, and the susceptibility of public companies of all sizes operating in all industries to cybersecurity incidents that can stem from intentional or unintentional acts. Public companies should examine their current cybersecurity-related policies to identify any gaps between existing policies and the proposed regulations. If there are any gaps, public companies should establish clear policies and procedures related to cybersecurity incident detection and reporting to comply with the new requirements.

The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, among other things. The proposal also requires periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risk, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Further, the proposal requires annual reporting or proxy statement disclosure about the board of directors’ cybersecurity expertise, if any.

Incident Reporting on Form 8-K

In particular, a new Item 1.05 would be added to Form 8-K requiring current reporting of material cybersecurity incidents within four business days thereof. The trigger date for the disclosure requirement is the date of the materiality determination, rather than the date of discovery of the incident. Required disclosure includes:

• when the incident was discovered and whether it is ongoing;
• a brief description of the nature and scope of the incident;
• whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
• the effect of the incident on the issuer’s operations; and
• whether the issuer has remediated or is currently remediating the incident.

Notably, an untimely Item 1.05 Form 8-K would not result in the loss of Form S-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability.

Periodic Reporting of Cybersecurity Updates and Director Expertise

Additionally, a new Item 106(d) of Regulation S-K would be added by the proposed amendments requiring periodic reporting of material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8-K for the covered period in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate. Proposed Item 106(d) also includes disclosure requirements of the companies cybersecurity risks, threats, risk management, strategy and governance related thereto.

Finally, proposed Item 407(j) of Regulation S-K would require companies to annually disclose cybersecurity expertise of directors of the company, if any. Cybersecurity expertise would remain undefined but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether they director obtained a certificate or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Any identified cybersecurity experts would have the safe harbor used for ‘audit committee financial experts’ for purposes of Section 11 liability.

The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022.