U.S. Securities and Exchange Commission to Require Expanded Cybersecurity Reporting

New cybersecurity rules from the U.S. Securities and Exchange Commission (“SEC”) set to go into effect this spring will expand reporting requirements for publicly listed companies. The changes are designed to increase transparency and make it easier for investors to assess a company’s cybersecurity policies, the cybersecurity awareness of its board of directors, and its ultimate cybersecurity risk before investing. The new rules will also require companies to make timely reports of covered cybersecurity incidents.

Corporate Governance and Policy Disclosure

Cybersecurity incidents impact all aspects of a company, including its directors and officers, employees, consumers, products, services, and investors. This widespread risk prompted the SEC to institute new reporting requirements designed to make corporations’ cybersecurity policies and procedures more accessible to stakeholders. The rules will require companies to report a significant amount of information, including whether they have a cybersecurity risk assessment program, a description of that program, their methods of assessing the security risks posed by any third-party service providers, ways in which previous cybersecurity incidents impacted their policies and governance, and activities taken to prevent or discover cybersecurity incidents.

In addition to their policies, companies will also have to report information regarding their boards and their exposure to cybersecurity issues. These reports should include who on the board is responsible for overseeing cybersecurity, the process by which the board is educated on cybersecurity risks, and whether the board considers cybersecurity when assessing their business strategies and financial oversight. Similar reports would also be required for management positions. These disclosures should include whether the companies have management positions that oversee cybersecurity risk and whether they have a designated chief information officer.

Incident Disclosure

The SEC’s rules will also formalize reporting cybersecurity incidents by amending forms such as Forms 8-K, 10-K, and 10-Q. Form 8-K will require public companies to disclose certain information related to material cybersecurity incidents within four business days. The SEC’s rules provide several examples of cybersecurity incidents including unauthorized incidents that compromise the integrity, confidentiality, or availability of an information asset, violate internal security policies, degrade, interrupt, or damage operational technology. SEC has stated that the definition of cybersecurity incident should be interpreted broadly. Such an incident should be considered material if there is a substantial likelihood that a reasonable shareholder would consider the information important or significant when making an investment decision. The four-day deadline for disclosure is triggered once a company determines that an incident is material.

Amended Forms 10-K and 10-Q will push companies to provide periodic updates regarding previously reported cybersecurity incidents. These disclosure requirements will also give companies the opportunity to clarify the impact of the cybersecurity incident on operations and describe planned remedial measures. Companies will also have to report significant changes to previously disclosed incidents and update the SEC when an incident that was previously determined to be immaterial becomes material in the aggregate. If previously unreported incidents become material, the corporation should be prepared to disclose when the incidents were discovered, whether any data was stolen or altered, the nature of the incident, and how the incident was remediated or is being remediated.

Bottom Line

This is one more example of the increasingly costly compliance protocols regarding cybersecurity that businesses must comply with. While cybersecurity incidents are likely inevitable at this point for most businesses, compliance with regulations and disclosure requirements are crucial. For more information and guidance to deal with cybersecurity and related regulatory matters, please contact Partner Harris S. Freier, Esq. via email here or call 973.230 2079.