SEC’s Increased and Expanding Focus on Cybersecurity Disclosures

Recent enforcement actions, proposed rule-making, and increased staffing reflect the Securities and Exchange Commission (SEC) Enforcement Division’s expanding focus on cybersecurity incidents and corresponding disclosures. While the Enforcement Division has historically focused its resources in this area on highlighting failures to disclose internal controls deficiencies, the division is now beginning to cast a wider net in its investigations and enforcement actions.

In this article, we discuss likely areas for continued expansion of cyber-related enforcement activity and practical implications for public companies. The SEC has also proposed new cybersecurity rules for investment advisers registered under the Investment Advisers Act of 1940 and investment companies registered under the Investment Company Act of 1940. See 17 CFR Parts 230, 232, 239, 270, 274, 275, and 279.

Similar to the proposed rules for public companies (which we describe in more detail below), the proposed rules for financial advisers and funds would require subject entities to (1) adopt and implement written cybersecurity policies and procedures, (2) confidentially report significant cybersecurity incidents to the SEC, and (3) disclose certain cybersecurity incidents to investors.

Recent Enforcement Activity

Cybersecurity law in the United States is currently a patchwork of state and federal laws and regulations; there is no single comprehensive enforcement regime. Each state has enacted a statute requiring disclosure of data breaches that meet certain criteria, and enforcement of these laws has historically been the province of state attorneys general. The SEC’s focus in the cybersecurity realm has historically been on ensuring that companies maintain sufficient internal controls.

Thus, SEC enforcement actions have largely centered on alleged violations of Rule 30(a) of Regulation S-P, known as the “Safeguards Rule,” which requires registered broker-dealers and investment advisers to adopt certain policies and procedures that address administrative, technical, and physical safeguards for the protection of customer data. Recent enforcement actions by the Crypto Assets and Cyber Unit suggest that the agency is shifting toward a greater focus on public disclosure of cyber incidents to investors.

For example, on August 16, 2021, the SEC filed a settled enforcement action against Pearson PLC, a publicly traded company that provides educational publishing services to schools and universities; the agency imposed a $1 million civil penalty. The SEC found that Pearson had made materially misleading statements and omissions concerning a 2018 cybersecurity incident that resulted in the theft of millions of student records containing personally identifiable information (PII).

The SEC alleged that Pearson failed to maintain disclosure controls and procedures designed to assess the materiality of improper access to student data, resulting in a failure to escalate information about the incident to senior management and others responsible for making disclosure decisions.

Also in 2021, the Division of Enforcement commenced a well-publicized enforcement sweep of hundreds of public companies that were potentially impacted by the SolarWinds data breach. Although the inquiry was voluntary, the SEC included precise requests concerning the impact of the SolarWinds compromise on each recipient, the recipient’s response to the SolarWinds compromise, and a broad request asking recipients to identify other compromises involving unauthorized access to the recipient’s computer systems by an external actor lasting longer than one day.

And in early May, further demonstrating the SEC’s increasing focus in this area, the Enforcement Division announced the addition of 20 new Division of Enforcement positions to the Crypto Assets and Cyber Unit (formerly known as the Cyber Unit).

Proposed Rule-Making

In March 2022, the SEC announced a new slate of proposed cyber-incident–related disclosure rules that would significantly increase disclosure obligations for public companies. The proposed rules would require companies to immediately disclose material cybersecurity incidents to investors, as well as requiring specific and enhanced disclosures of companies’ cybersecurity risk management, strategy, and governance.

The proposed amendments consist of two main parts: (1) mandatory immediate reporting of material cybersecurity incidents and (2) periodic reporting of the company’s cybersecurity risk management, strategy, and governance practices, as well as cybersecurity expertise at the board or executive management level.

Form 8-K rule on current reporting.  Proposed new Item 1.05 of Form 8-K would require current reporting of material cybersecurity incidents. As is the case with almost all other Form 8-K items, the proposed new rule would require companies to disclose material cybersecurity incidents within four business days.

The proposed rule defines a “cybersecurity incident” as “an unauthorized occurrence on or conducted through a public company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.” (Proposed Rule at 12.)

The proposed rule states that “[w]hat constitutes materiality for purposes of the proposed cybersecurity incidents disclosure would be consistent with that set out in the numerous cases addressing materiality in the securities laws. … Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.” (Ibid at 7 (internal quotations omitted)).

In the cybersecurity context, a materiality determination will likely require both quantitative and qualitative analysis of the likelihood and potential magnitude of losses or possible future losses resulting from the incident.

The proposed rule lays out the required elements of a public disclosure, which include a brief description of the nature and scope of the incident, the effect of the incident on the company’s operations, and whether the company has remediated or is currently remediating the incident.

Form 10-K rules on annual reporting.  Proposed new Item 106(b) of Regulation S-K would require companies to make significant disclosures in their Form-Ks concerning the company’s policies and procedures to identify and manage cybersecurity risks.

In particular, the rule would require public companies to disclose how cybersecurity risks are considered as part of the company’s business strategy and capital allocation; the steps the company has taken to prevent and detect cybersecurity incidents; and whether the company has in place certain standard policies and procedures relating to cybersecurity governance.

In addition, the proposed rules would require disclosure of a company’s cybersecurity governance at the board and management levels. The rule would require companies to disclose and identify any board member with cybersecurity expertise and provide a description of that director’s expertise.

Implications for Public Companies

The SEC’s recent enforcement activity, increased staffing, and proposed rule-making will have significant implications for public companies.

Implications of the four-day reporting requirement.  While the proposed four-day reporting requirement is not yet in place and may never be, it does give a window into how Chair Gensler and his staff are thinking about appropriate timing of disclosing material cyber incidents to shareholders. Public companies should expect that the Enforcement Division will closely scrutinize the timing of such disclosures and hold companies to an exacting standard.

In Pearson, the SEC criticized the company for waiting three months to make the allegedly required disclosure. It is likely that the Enforcement Division will take the view, even if the proposed rule-making is not passed, that appropriate disclosures of cyber incidents must be made within days or weeks, not months.

As a result, senior management will need to work quickly to make a judgment whether an incident was material—in other words, whether there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or whether it would have “significantly altered the total mix of information made available” to the shareholder. Because the scope and financial impact of data breaches vary widely, there is likely to be uncertainty and disagreement surrounding the materiality standard.

In order to make timely disclosure of cyber incidents, public companies may consider putting in place an incident response plan with clear procedures for escalating and reporting any incidents, and ensuring that employees are aware of and follow that plan. Many companies already have such a policy in place, but it is worth noting that state laws generally require companies to notify affected individuals (and in some cases law enforcement) rather than shareholders. The increased burden of a public disclosure to shareholders may require companies to act more quickly in identifying, analyzing, and escalating a breach.

Implications of the cybersecurity governance disclosure requirements.  The proposed amendments to Form 10-K also suggest that the SEC is seeking to encourage companies to ensure that their boards have cybersecurity expertise. By requiring companies to disclose whether any board members have cybersecurity expertise, the rules will “expose” companies where board members lack such expertise.

This may lead to criticism from shareholders and second-guessing from plaintiff’s lawyers in the event of a cybersecurity breach that could have allegedly been prevented by enhanced cybersecurity governance. In a similar vein, the proposed amendments would also require public companies to disclose whether they have a chief information security officer (CISO) and to make other public disclosures about how the company considers cybersecurity risks as part of its business strategy. These disclosures will almost certainly impact personnel and capital allocation decisions.

In her dissenting statement, SEC Commissioner Hester Pierce argued that the corporate governance disclosure requirements “embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies.” (Dissent at 1.)

Pierce further argued that “securities regulators are not best-suited to design cybersecurity programs to be effective for all companies, in all industries, across time.” (Id. at 2.) The issues raised by Pierce may be a particular concern with respect to smaller public companies that do not collect or process large volumes of PII but nonetheless feel pressure, given the SEC’s apparent concern with the issue, to consider bringing on directors with cybersecurity expertise.

Risk of inconsistent regulatory obligations.  The proposed regulations will also require companies to expend resources and attention to ensure they are complying with inconsistent disclosure obligations at the state and federal levels. The proposed amendments to Form 8-K would require companies to disclose certain types of cyber incidents that are not covered by most state data breach notification laws.

For example, generally speaking, because state data breach notification laws require companies to notify affected individuals, they are not triggered by ransomware attacks unless those attacks result in outside actors accessing or extracting personal information. However, the proposed amendments to Form 8-K would require companies to disclose all material ransomware attacks, regardless of whether they result in access to PII.

The proposed amendments also lack a “delay reporting” safe harbor, a common feature of most state data breach notification laws that permits companies to delay sending data breach notices when law enforcement determines that such notices may impede the investigation into the incident. The SEC declined to include such a provision in its proposed rule, reasoning that “[o]n balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.” (Id. at 25.)

Potential for civil litigation.  The proposed amendments to Forms 8-K and 10-K may also increase the risk that companies and their directors face private civil litigation arising from alleged failures to adequately disclose cybersecurity events and practices. Class-action attorneys, relying on the Commission’s position that cybersecurity events are material to shareholders, may be more likely to bring claims for alleged violations of the Exchange Act and Rule 10b-5 based on failures to disclose or timely disclose cybersecurity events and/or deficiencies.

Increased risk of further cybersecurity incidents.  Finally, in some cases, there may be some risk that the proposed amendments to Forms 8-K and 10-K will paradoxically create an increased risk of cyberattacks. As noted above, existing state data-breach notification laws largely require disclosure to a limited set of state regulators and affected individuals.

The proposed amendments to Form 8-K would require more expansive disclosure of both a company’s cybersecurity practices and cybersecurity incidents to the investing public. If these proposals become effective, companies will need to balance these disclosure requirements with the need to avoid exposing technical and business information that might help threat actors carry out attacks.

---

Harris Fischman is a partner, and Steven Herzog is counsel, at Paul, Weiss, Rifkind, Wharton & Garrison. Emily M. Glavin, an associate at the firm, assisted in the preparation of this article.

---

From: New York Law Journal