Proposed Rules On Cybersecurity Disclosure

Earlier this year, the SEC published proposed rules on cybersecurity risk management, strategy, governance and incident disclosure by public companies.  Although the comment period has passed, a final rule has not yet been issued.  As of now, cybersecurity disclosures are encompassed within the general anti-fraud provisions including the requirement to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading” as well SEC guidance last updated in 2018 (see HERE).

The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks; the company’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal would further require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.  Cybersecurity disclosures would need to be presented in Inline XBRL (see HERE).

Background

Cybersecurity has been an important topic for years, and will only continue to become more so as a significant and increasing amount of the world’s economic activity occurs through digital technology and electronic communications.  Cyber-crimes on all levels from data breaches, ransomware, phishing, and data theft have become commonplace.  Public companies of all sizes and operating in all industries are susceptible to cybersecurity incidents that can stem from intentional or unintentional acts.

Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyberattack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyberattack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”

When victim to a cyberattack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

• Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
• Costs due to business interruption, decreases in production, and delays in product launches;
• Payments to meet ransom and other extortion demands;
• Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
• Lost revenues from unauthorized use of proprietary information and lost customers;
• Litigation and legal risks, including regulatory and private civil actions;
• Increased insurance premiums;
• Damage to the company’s competitiveness, stock price and long-term shareholder value; and
• Reputational damage.

Clearly disclosure is important and, although I am not usually a proponent of increased regulation, the SEC’s proposal on cybersecurity disclosures, including through additions to Form 8-K, makes sense.

Prior Guidance

As mentioned, there are currently no disclosure requirements in Regulation S-K or S-X that explicitly refer to cybersecurity risks or incidents; however, the SEC did issue guidance on disclosure in 2011 and again in 2018.  The 2018 Interpretive Release stated that companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure required in registration statements and periodic reports (for a detailed summary of the 2018 Interpretive Release, see HERE).

The 2018 Release suggested a company consider the necessity for cybersecurity disclosure in the following areas: (i) Item 105 of Regulation S-K (Risk Factors) – cybersecurity risk factor disclosure, including risks arising in connection with acquisitions; (ii) Item 303 of Regulation S-K (Management’s Discussion and Analysis of Financial Condition and Results of Operations) – the costs of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents, among other matters; (iii) Item 101 of Regulation S-K (Description of Business) – cybersecurity incidents or risks that materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions; (iv) Item 103 of Regulation S-K (Legal Proceedings) – disclosure about material pending legal proceedings that relate to cybersecurity issues; (v) Item 407 of Regulation S-K (Corporate Governance) – describe how the board administers its risk oversight function to the extent that cybersecurity risks are material to a company’s business, including a description of the nature of the board’s role in overseeing the management of such risks; and (vi) Regulation S-X Financial Disclosures – design financial reporting and control systems to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into financial statements on a timely basis as that information becomes available.

Despite the 2018 guidance, cybersecurity disclosures, including incident reporting, remains inconsistent and often includes boiler plate risk factor language.

Proposed Amendments

The proposed rules would amend Form 8-K to require current disclosure of material cybersecurity incidents.  The proposed rules would also add new Item 106 to Regulation S-K to require a company to: (i) provide updated disclosure in periodic reports about previously reported cybersecurity incidents; (ii) describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation; and (iii) require disclosure about the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

The proposed rule would amend Item 407 of Regulation S-K to require disclosure of whether any member of the company’s board has expertise in cybersecurity, and if so, the nature of such expertise. In addition, the proposed rules would amend Form 20-F and 6-K to require cybersecurity disclosures by foreign private issuers (FPIs).

Under the proposed rules the term “cybersecurity incident” would be defined as an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein. The SEC is proposing to define the term “information systems” as “information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of a registrant’s information to maintain or support the registrant’s operations.”

Item 1.05 of Form 8-K

The proposed rules would add Item 1.05 of Form 8-K requiring the disclosure of material cybersecurity incidents in a Form 8-K within four business days of determining that an incident is material (which may the incident date or thereafter).  To avoid undue delay, Item 1.05 will specifically require that a company “make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”  A materiality determination would be made as in all other cases “information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.”

Item 1.05 would require the disclosure of: (i) when the incident was discovered and whether it is ongoing; (ii) a brief description of the nature and scope of the incident; (iii) whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; (iv) the effect of the incident on the company’s operations; and (v) whether the company has remediated or is currently remediating the incident.

The proposed rule release contains a non-exclusive list of incidents that could trigger an 8-K filing including: (i) an unauthorized incident that compromises data or violates security policies or procedures; (ii) an unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems; (iii) an incident where a party accesses, and steals or destroys sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company; (iv) an incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or (v) an incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

Among the eligibility requirements to use a Form S-3 or F-3, a company must have timely filed all Exchange Act reports required by Sections 13(a), 15(d) and Section 14(a) and 14(c) materials for a period of 12 calendar months, except for reports under Item 1.01 (entry into a material definitive agreement), 1.02 (termination of a material definitive agreement), 1.04 (mine safety – reporting shutdowns and patterns of violations), 2.03 (creation of a direct financial obligation or an obligation under an off-balance sheet arrangement), 2.04 (triggering events that accelerate or increase a direct financial obligation or off-balance sheet obligation), 2.05 (costs associated with exit or disposal activities), 2.06 (material impairments), 4.02(a) (non-reliance on previously issued financial statements or related audit report where the company makes the non-reliance determination) or 5.02(e) (compensatory arrangements with certain officers) of Form 8-K.  See here for a detailed summary of S-3 eligibility HERE.

The proposed rules would add an Item 1.05 8-K to the list of filings that would not result in losing S-3 eligibility.  The SEC is also proposing to amend Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.

Form 6-K

Generally, an FPI must file a Form 6-K to report or provide copies of information that the FPI: (i) makes or is required to make public under the laws of its jurisdiction of incorporation, (ii) files, or is required to file under the rules of any stock exchange, or (iii) otherwise distributes to its security holders.  The proposed new rules would amend the instructions to Form 6-K to add material cybersecurity incidents to the list of events triggering a filing.

Periodic Reports (10-Q and 10-K)

The proposed rules would also add new Item 106 to Regulation S-K to require a company to include the following disclosures in their quarterly reports on Form 10-Q and annual report on Form 10-K: (i) provide updated disclosure about previously reported cybersecurity incidents; (ii) describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation; and (iii) require disclosure about the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

Specifically, Item 106(d)(1) requires companies to disclose in their 10-Q and 10-K, any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K.  In addition to updates to information previously disclosed, a company should include information that might not have been available at the time of the initial 8-K filing such as effects on operations and financial condition; potential material future impacts on operations or financial condition; changes in policies and procedures as a result of the incident; and remedial steps or plans.

Item 106(d)(2) requires companies to disclose in their 10-Q and 10-K information regarding when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.  In this case, disclosure should include: (i) when the incidents were discovered and whether they are ongoing; (ii) a brief description of the nature and scope of such incidents; (iii) whether any data was stolen or altered; (iv) the impact of such incidents on the company’s operations and actions; and (v) whether the company has remediated or is currently remediating the incidents.

Item 106(b) would require disclosure of a company’s policies and procedures, if it has any, to identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.  Specific disclosure would be required of: (i) whether the company has a cybersecurity risk assessment program and if so, a description of such program; (ii) whether the company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program; (iii) whether the company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider, including as relates to the selection of such providers; (iv) whether the company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents; (v) whether the company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident; (vi) whether previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies; (vii) whether cybersecurity related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and if so, how; and (viii) whether cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation and if so, how.

Proposed Item 106(c)(1) would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the company’s cybersecurity policies, procedures, and strategies.  The rule would require disclosure of: (i) whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; (ii) the processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and (iii) whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the company’s cybersecurity policies, procedures, and strategies. This description would include, but not be limited to, the following information: (i) whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members; (ii) whether the company has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the organizational chart, and the relevant expertise of any such persons; (iii) the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and (iv) whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Finally, the rule proposes to amend Item 407 of Regulation S-K to require disclosure about the cybersecurity expertise of members of the board of directors of the company, if any.  This disclosure would be required in the company’s annual 10-K and in any proxy or information statement related to the election of directors.  The specific information required would be: (i) whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner; (ii) whether the director has obtained a certification or degree in cybersecurity; and (iii) whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

Periodic Reports by Foreign Private Issuers

The proposed rule would amend Form 20-F to include the same type of disclosure as required in new proposed Item 106 and amended Item 407 discussed above.

The Author

Laura Anthony, Esq.
Founding Partner
Anthony L.G., PLLC
A Corporate Law Firm
LAnthony@AnthonyPLLC.com

Securities attorney Laura Anthony and her experienced legal team provide ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded public companies as well as private companies going public on the Nasdaq, NYSE American or over-the-counter market, such as the OTCQB and OTCQX. For more than two decades Anthony L.G., PLLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker-dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions, securities token offerings and initial coin offerings, Regulation A/A+ offerings, as well as registration statements on Forms S-1, S-3, S-8 and merger registrations on Form S-4; compliance with the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers; applications to and compliance with the corporate governance requirements of securities exchanges including Nasdaq and NYSE American; general corporate; and general contract and business transactions. Ms. Anthony and her firm represent both target and acquiring companies in merger and acquisition transactions, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. The ALG legal team assists Pubcos in complying with the requirements of federal and state securities laws and SROs such as FINRA for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the small-cap and middle market’s top source for industry news, and the producer and host of LawCast.com, Corporate Finance in Focus. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.

Ms. Anthony is a member of various professional organizations including the Crowdfunding Professional Association (CfPA), Palm Beach County Bar Association, the Florida Bar Association, the American Bar Association and the ABA committees on Federal Securities Regulations and Private Equity and Venture Capital. She is a supporter of several community charities including siting on the board of directors of the American Red Cross for Palm Beach and Martin Counties, and providing financial support to the Susan Komen Foundation, Opportunity, Inc., New Hope Charities, the Society of the Four Arts, the Norton Museum of Art, Palm Beach County Zoo Society, the Kravis Center for the Performing Arts and several others. She is also a financial and hands-on supporter of Palm Beach Day Academy, one of Palm Beach’s oldest and most respected educational institutions. She currently resides in Palm Beach with her husband and daughter.

Ms. Anthony is an honors graduate from Florida State University College of Law and has been practicing law since 1993.

Contact Anthony L.G., PLLC. Inquiries of a technical nature are always encouraged.

Follow Anthony L.G., PLLC on Facebook, LinkedIn, YouTube, Pinterest and Twitter.

Listen to our podcast on iTunes Podcast channel.

law·cast

Noun

Lawcast is derived from the term podcast and specifically refers to a series of news segments that explain the technical aspects of corporate finance and securities law. The accepted interpretation of lawcast is most commonly used when referring to LawCast.com, the securities law network. Example: “LawCast expounds on NASDAQ listing requirements.”

Anthony L.G., PLLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.

This information is not intended to be advertising, and Anthony L.G., PLLC does not desire to represent anyone desiring representation based upon viewing this information in a jurisdiction where this information fails to comply with all laws and ethical rules of that jurisdiction. This information may only be reproduced in its entirety (without modification) for the individual reader’s personal and/or educational use and must include this notice.

© Anthony L.G., PLLC