Days before the new Securities and Exchange Commission (SEC) cybersecurity disclosure rules went into effect (which FoxPointe previously discussed here) Erik Gerding, Director of Corporation Finance of the SEC, issued a statement offering some thoughts, rationale and perspective on the rules in an attempt to highlight the significant parts of the rule and address some potential misconceptions.
The new rule has two major components. Public companies will be required to disclose both material cybersecurity incidents within 72 hours on new item 1.05 of Form 8-K, and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. Gerding indicated several times in the statement that the main goal of these rules is to provide investors and key stakeholders with important information in a timely and consistent manner on certain risks.
Between the time that the SEC proposed the original rule in March 2022 to the time of Gerding’s statement, many have expressed frustration, confusion, and questioned the rationale of these rules. Gerding uses the beginning of his statement to offer a general rationale. “The Commission has noted that cybersecurity risks have increased alongside the ever-increasing share of economic activity that depends on electronic systems, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology.” The cost of a cyber incident to both public companies and investors continues to grow at a rapid rate. In addition, cybersecurity disclosure practices have been inconsistent over the years, emphasizing the need for a standardized, improved approach. The SEC believes the final rule meets these needs and the landscape of today’s cyber world.
To help provide context on the incident disclosure portion of the rules, Gerding sought to answer three questions: what, when, and why. First, the rule requires public companies to “disclose the occurrence of a material cybersecurity incident and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.” The final rule encourages public companies not to overshare information when making a disclosure, such as technical information regarding the vulnerability and response. The SEC is attempting to limit technical information in its disclosure requirements that could potential be used by malicious actors in future attacks.
Second, Gerding offers some much-needed clarification on when a material incident must be disclosed. While the final rule requires disclosure within four business days after determination that the incident is material, it is important to note that the clock does not begin to tick as soon as the incident is discovered. A public company will have time to investigate, contact additional support, either through its third parties or outside agencies, and analyze before determining an incident is material, thus beginning the four-day deadline to disclose. The final rule includes language that states a public company must determine an incidents materiality “without unreasonable delay”. In addition, the SEC noted that the four-day deadline was chosen to remain consistent with other SEC 8-K reporting requirements. The Commission further understands that all material and disclosable information may not be readily available within four business days, even after investigation. In this instance, the final rule contains instructions for a public company to issue a subsequent filing.
Finally, Gerding used the statement to highlight the importance of using a materiality standard for this rule. The rule utilizes the same definition of materiality that the SEC and the Supreme Court uses in other contexts. “The term “material,” when used to qualify a requirement for the furnishing of information as to any subject, limits the information required to those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to buy or sell the securities registered.” This definition and context when considering cybersecurity incidents goes back to the needs of investors.
Regarding the Risk Management, Strategy, and Governance disclosure part of the rule, Gerding addresses some commenters concerns stating that the disclosure requirements are high level in nature, and are not meant to prescribe any required controls for public companies to implement.
The statement concludes with Gerding encouraging companies to ask further questions. The SEC’s intent is not to add another compliance “checklist” item or create “gotcha” scenarios, but rather foster open communication and transparency that investors and other companies may find useful and beneficial.
Materiality: 17 CFR § 240.12b-2 - Definitions