SEC Proposes Cyber Risk Management and Attack Disclosure Requirements
On March 9, the SEC issued rule proposals to standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. According to the SEC’s Fact Sheet on the proposals, “Consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents.” (Separately, Congress enacted a cyber incident reporting requirement, although the law will not require public disclosure. See New Legislation Requires Cyber Incident Reporting in this Update.)
The Commission’s staff has previously issued interpretive guidance concerning disclosures that companies should make relating to cybersecurity risks and incidents. See SEC Issues Staff Guidance on Cyber Disclosure, Including the Board’s Oversight Role, March 2018 Update. However, in the Commission’s view, the resulting disclosures have been inconsistent. (For a discussion of cybersecurity disclosures, see EY Reports on the State of Cybersecurity Risk Disclosure, September-October 2021 Update). The proposed rules would in effect supersede prior guidance with specific requirements.
The proposals, which would apply to all SEC reporting companies, including both domestic and foreign companies, smaller reporting companies, and emerging growth companies, would require:
Disclosure of certain information about material cybersecurity incidents within four business days after a company determines that it has experienced a material cybersecurity incident. A cyber-security incident would be defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Updated disclosure in quarterly and annual filings relating to previously disclosed cybersecurity incidents and disclosures. Companies would be required to report when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
Disclosure regarding a company’s policies and procedures for the identification and management of risks from cybersecurity threats. This disclosure would include whether management considers cybersecurity as part of its business strategy, financial planning, and capital allocation.
Disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and policies, procedures, and strategies.
Disclosure in annual reports and proxy filings regarding board member cybersecurity expertise This disclosure would include whether the entire board or only certain board members or committees are responsible for cybersecurity risk oversight; how the board is informed about cybersecurity risks and how frequently cybersecurity risks are discussed; and whether and how the board evaluates cybersecurity risks as part of its risk management, business strategy, and financial oversight. In addition, companies would be required to disclose the name of every board member who has expertise in cybersecurity (if any), along with a description of such expertise.
Comment: Companies will need to consider how these new reporting requirements, if adopted, affect their policies and systems for collecting and evaluating information regarding cybersecurity incidents, particularly incidents that may be immaterial but that could become material when aggregated with other incidents. In addition to oversight of these systems changes, two other aspects of the proposal may affect audit committees.
Additional disclosure concerning the work of the audit committee. As noted in prior Updates, cybersecurity oversight is often – although perhaps not always appropriately – assigned to the audit committee. (For example, EY’s most recent survey of audit committee reporting found that nearly 70 percent of Fortune 100 companies disclosed that the audit committee oversees cybersecurity matters. See Slight Increases, Some Stagnation: CAQ and EY Report Cards on Audit Committee Transparency, November-December 2021 Update.) As noted above, under the SEC’s proposal, companies would be required to provide specific disclosures about the board’s oversight of cybersecurity risk. In many cases, the result will be new disclosures about the work of the audit committee, including the names of committee members with cyber expertise.
Tension between disclosure and incident response. Companies that are victims of cyber attacks may face a difficult choice. The SEC rules, if adopted, will require public disclosure of the incident and its potential consequences within four business days. On the other hand, such disclosure may jeopardize the investigation into the source of the incident, and the law enforcement agencies involved in the investigation may urge that disclosure be delayed. The audit committee or full board is likely to become involved in resolving this dilemma.