Proposed Rule2022-05480
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
March 23, 2022
Issuing agencies
Securities and Exchange Commission
Abstract
The Securities and Exchange Commission ("Commission") is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant's policies and procedures to identify and manage cybersecurity risks, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk. Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports. Further, the proposed rules would require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language ("Inline XBRL"). The proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 56 (Wednesday, March 23, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 56 (Wednesday, March 23, 2022)]
[Proposed Rules]
[Pages 16590-16624]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-05480]
[[Page 16589]]
Vol. 87
Wednesday,
No. 56
March 23, 2022
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 229, 232, 239, et al.
Cybersecurity Risk Management, Strategy, Governance, and Incident
Disclosure; Proposed Rule
��Federal Register / Vol. 87 , No. 56 / Wednesday, March 23, 2022 /
Proposed Rules��
[[Page 16590]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 229, 232, 239, 240, and 249
[Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22]
RIN 3235-AM89
Cybersecurity Risk Management, Strategy, Governance, and Incident
Disclosure
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
proposing rules to enhance and standardize disclosures regarding
cybersecurity risk management, strategy, governance, and cybersecurity
incident reporting by public companies that are subject to the
reporting requirements of the Securities Exchange Act of 1934.
Specifically, we are proposing amendments to require current reporting
about material cybersecurity incidents. We are also proposing to
require periodic disclosures about a registrant's policies and
procedures to identify and manage cybersecurity risks, management's
role in implementing cybersecurity policies and procedures, and the
board of directors' cybersecurity expertise, if any, and its oversight
of cybersecurity risk. Additionally, the proposed rules would require
registrants to provide updates about previously reported cybersecurity
incidents in their periodic reports. Further, the proposed rules would
require the cybersecurity disclosures to be presented in Inline
eXtensible Business Reporting Language (``Inline XBRL''). The proposed
amendments are intended to better inform investors about a registrant's
risk management, strategy, and governance and to provide timely
notification of material cybersecurity incidents.
DATES: Comments should be received on or before May 9, 2022.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="https://www.sec.gov/rules/submitcomments.htm">https://www.sec.gov/rules/submitcomments.htm</a>).
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#483a3d242d652b2725252d263c083b2d2b662f273e"><span class="__cf_email__" data-cfemail="f98b8c959cd49a9694949c978db98a9c9ad79e968f">[email protected]</span></a>. Please include File
Number S7-09-22 on the subject line; or
Paper Comments
<bullet> Send paper comments to Vanessa A. Countryman, Secretary,
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-1090.
All submissions should refer to File Number S7-09-22. This file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (<a href="https://www.sec.gov/rules/proposed.shtml">https://www.sec.gov/rules/proposed.shtml</a>). Comments also are available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's public reference room. All comments received will be
posted without change. Persons submitting comments are cautioned that
we do not redact or edit personal identifying information from comment
submissions. You should submit only information that you wish to make
available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on our website. To ensure direct electronic
receipt of such notifications, sign up through the ``Stay Connected''
option at <a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Ian Greber-Raines, Special Counsel,
Office of Rulemaking, at (202) 551-3460, Division of Corporation
Finance; and, with respect to the application of the proposal to
business development companies, David Joire, Senior Special Counsel, at
(202) 551-6825 or <a href="/cdn-cgi/l/email-protection#773e3a3834343704121459101801"><span class="__cf_email__" data-cfemail="622b2f2d2121221107014c050d14">[email protected]</span></a>, Chief Counsel's Office, Division of
Investment Management, U.S. Securities and Exchange Commission, 100 F
Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: We are proposing to amend or add the
following rules and forms:
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
----------------------------------------------------------------------------------------------------------------
Regulation S-K..................... ..................... 17 CFR 229.10 through 229.1305.
Items 106 and 407.... Sec. 229.106 and Sec. 229.407.
Regulation S-T..................... ..................... 17 CFR 232.10 through 232.903.
Rule 405............. Sec. 232.405.
Securities Act of 1933 Form S-3............. Sec. 239.13.
(``Securities Act'') \1\.
Form SF-3............ Sec. 239.45.
Securities Exchange Act of 1934 Rule 13a-11.......... Sec. 240.13a-11.
(``Exchange Act'') \2\.
Rule 15d-11.......... Sec. 240.15d-11.
Schedule 14A......... Sec. 240.14a-101.
Schedule 14C......... Sec. 240.14c-101.
Form 20-F............ Sec. 249.220f.
Form 6-K............. Sec. 249.306.
Form 8-K............. Sec. 249.308.
Form 10-Q............ Sec. 249.308A.
Form 10-K............ Sec. 249.310.
----------------------------------------------------------------------------------------------------------------
Table of Contents
---------------------------------------------------------------------------
\1\ 15 U.S.C. 77a et seq.
\2\ 15 U.S.C. 78a et seq.
---------------------------------------------------------------------------
I. Background
A. Existing Regulatory Framework and Interpretive Guidance
Regarding Cybersecurity Disclosure
B. Current Disclosure Practices
II. Proposed Amendments
A. Overview
B. Reporting of Cybersecurity Incidents on Form 8-K
1. Overview of Proposed Item 1.05 of Form 8-K
2. Examples of Cybersecurity Incidents that May Require
Disclosure Pursuant to Proposed Item 1.05 of Form 8-K
[[Page 16591]]
3. Ongoing Investigations Regarding Cybersecurity Incidents
4. Proposed Amendment to Form 6-K
5. Proposed Amendments to the Eligibility Provisions of Form S-3
and Form SF-3 and Safe Harbor Provision in Exchange Act Rules 13a-11
and 15d-11
C. Disclosure About Cybersecurity Incidents in Periodic Reports
1. Updates to Previously Filed Form 8-K Disclosure
2. Disclosure of Cybersecurity Incidents That Have Become
Material in the Aggregate
D. Disclosure of a Registrant's Risk Management, Strategy and
Governance Regarding Cybersecurity Risks
1. Risk Management and Strategy
2. Governance
3. Definitions
E. Disclosure Regarding the Board of Directors' Cybersecurity
Expertise
F. Periodic Disclosure by Foreign Private Issuers
G. Structured Data Requirements
III. Economic Analysis
A. Introduction
B. Economic Baseline
1. Current Regulatory Framework
2. Affected Parties
C. Potential Benefits and Costs of the Proposed Amendments
1. Benefits
a. Benefits to investors
(i) More Informative and More Timely Disclosure
(ii) Greater Uniformity and Comparability
b. Benefits to registrants
2. Costs
3. Indirect Economic Effects
D. Anticipated Effects on Efficiency, Competition, and Capital
Formation
E. Reasonable Alternatives
1. Website Disclosure
2. Disclosure Through Form 10-Q and Form 10-K
3. Exempt Smaller Reporting Companies
4. Modify Scope of Inline XBRL Requirement
IV. Paperwork Reduction Act
A. Summary of the Collection of Information
B. Summary of the Estimated Burdens of the Proposed Amendments
on the Collections of Information
C. Incremental and Aggregate Burden and Cost Estimates
V. Small Business Regulatory Enforcement Fairness Act
VI. Initial Regulatory Flexibility Act Analysis
A. Reasons for, and Objectives of, the Proposed Action
B. Legal Basis
C. Small Entities Subject to the Proposed Rules
D. Projected Reporting, Recordkeeping and Other Compliance
Requirements
E. Duplicative, Overlapping, or Conflicting Federal Rules
F. Significant Alternatives
Statutory Authority and Text of Proposed Rule and Form Amendments
I. Background
Public company investors and other participants in the capital
markets depend on companies' use of secure and reliable information
systems to conduct their businesses. A significant and increasing
amount of the world's economic activities occurs through digital
technology and electronic communications.\3\ In today's digitally
connected world, cybersecurity threats and incidents pose an ongoing
and escalating risk to public companies, investors, and market
participants.\4\ Cybersecurity risks have increased for a variety of
reasons, including the digitalization of registrants' operations; \5\
the prevalence of remote work, which has become even more widespread
because of the COVID-19 pandemic; \6\ the ability of cyber-criminals to
monetize cybersecurity incidents, such as through ransomware, black
markets for stolen data, and the use of crypto-assets for such
transactions; \7\ the growth of digital payments; \8\ and increasing
company reliance on third party service providers for information
technology services, including cloud computing technology.\9\ In
particular, cybersecurity
[[Page 16592]]
incidents involving third party service provider vulnerabilities are
becoming more frequent.\10\ Additionally, cyber criminals are using
increasingly sophisticated methods to execute their attacks.\11\
---------------------------------------------------------------------------
\3\ Bhaskar Chakravorti, Ajay Bhalla, & Ravi Shankar Chaturvedi,
Which Economies Showed the Most Digital Progress in 2020?, Harv.
Bus. Rev. (Dec. 18, 2020), available at <a href="https://hbr.org/2020/12/which-economies-showed-the-most-digital-progress-in-2020">https://hbr.org/2020/12/which-economies-showed-the-most-digital-progress-in-2020</a>. See
Percentage of Business Conducted Online, IBISWORLD, <a href="https://www.ibisworld.com/us/bed/percentage-of-business-conducted-online/88090/">https://www.ibisworld.com/us/bed/percentage-of-business-conducted-online/88090/</a> (last updated Jan. 13, 2022). See also U.S. Department of
Commerce, Bureau of Economic Analysis, Updated Digital Economy
Estimates--June 2021, available at <a href="https://www.bea.gov/system/files/2021-06/DE%20June%202021%20update%20for%20web%20v3.pdf">https://www.bea.gov/system/files/2021-06/DE%20June%202021%20update%20for%20web%20v3.pdf</a> (``The
digital economy accounted for 9.6 percent ($2,051.6 billion) of
current-dollar gross domestic product ($21,433.2 billion) in 2019,
according to new estimates from BEA. When compared with traditional
U.S. industries or sectors, the digital economy ranked just below
the manufacturing sector[.]'').
\4\ See Steve Morgan, Cybercrime to Cost The World $10.5
Trillion Annually By 2025, Cybercrime Magazine, (Nov. 13, 2020),
available at <a href="https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/">https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/</a>; Matt Powell, 11 Eye Opening Cyber
Security Statistics for 2019, CPO Magazine (June 25, 2019) available
at <a href="https://www.cpomagazine.com/tech/11-eye-opening-cyber-security-statistics-for-2019/">https://www.cpomagazine.com/tech/11-eye-opening-cyber-security-statistics-for-2019/</a> (The largest cybersecurity incidents involving
public companies took place in the last ten years.); see Michael
Hill and Dan Swinhoe, cso, The 15 biggest data breaches of the 21st
century, available at <a href="https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html">https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html</a>; see e.g., Commission
Statement and Guidance on Public Company Cybersecurity Disclosures
(``2018 Interpretive Release''), Release No. 33-10459 (Feb. 26,
2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166 Feb. 26, 2018],
available at <a href="https://www.sec.gov/rules/interp/2018/33-10459.pdf">https://www.sec.gov/rules/interp/2018/33-10459.pdf</a>
(``Companies today rely on digital technology to conduct their
business operations and engage with their customers, business
partners, and other constituencies. In a digitally connected world,
cybersecurity presents ongoing risks and threats to our capital
markets and to companies operating in all industries, including
public companies regulated by the Commission.'').
\5\ See The US Digital Trust Insights Snapshot, PwC Research
(June 2021), available at <a href="https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/2021-digital-trust-insights/cyber-threat-landscape.html">https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/2021-digital-trust-insights/cyber-threat-landscape.html</a>.
\6\ See Stephen Klemash and Jamie Smith, What companies are
disclosing about cybersecurity risk and oversight, EY (Aug. 10,
2020), available at <a href="https://www.ey.com/en_us/board-matters/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight">https://www.ey.com/en_us/board-matters/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight</a>
(noting ``[w]ith the COVID-19-driven accelerated shift to digital
business and massive, potentially permanent shifts to remote
working, including virtual board and executive management meetings,
cybersecurity risks are exponentially greater.''). See Navigating
Cyber 2021, FS-ISAC, available at <a href="https://www.fsisac.com/navigatingcyber2021-report">https://www.fsisac.com/navigatingcyber2021-report</a>. See also Vikki Davis, Combating the
cybersecurity risks of working home, Cyber Magazine (Dec. 2, 2021),
available at <a href="https://cybermagazine.com/cyber-security/combating-cybersecurity-risks-working-home">https://cybermagazine.com/cyber-security/combating-cybersecurity-risks-working-home</a>. See also Dave Burg, Mike Maddison,
& Richard Watson, Cybersecurity: How do you rise above the waves of
a perfect storm?, The EY Glob. Info. Sec. Survey (July 22, 2021),
available at <a href="https://www.ey.com/en_us/cybersecurity/cybersecurity-how-do-you-rise-above-the-waves-of-a-perfect-storm">https://www.ey.com/en_us/cybersecurity/cybersecurity-how-do-you-rise-above-the-waves-of-a-perfect-storm</a>. (in a survey of
1,000 senior cybersecurity leaders, the results indicated that 81%
of those surveyed said that COVID-19 forced organizations to bypass
cybersecurity processes.).
\7\ See Combating Ransomware: A Comprehensive Framework For
Action: Key Recommendations from the Ransomware Task Force, Inst.
for Sec. & Tech. (Apr. 2021), available at <a href="https://securityandtechnology.org/ransomwaretaskforce/report">https://securityandtechnology.org/ransomwaretaskforce/report</a>; (``The
explosion of ransomware as a lucrative criminal enterprise has been
closely tied to the rise of Bitcoin and other cryptocurrencies,
which use distributed ledgers, such as blockchain, to track
transactions.''); see James Lewis, Economic Impact of Cybercrime--No
Slowing Down, P. 4, CSIS (Feb. 2018) (``Monetization of stolen data,
which has always been a problem for cybercriminals, seems to have
become less difficult because of improvements in cybercrime black
markets and the use of digital currencies.''). But see Avivah Litan,
Gartner Predicts Criminal Cryptocurrency Transactions Will Drop by
30% by 2024, gartner (Jan. 14, 2022) available at <a href="https://www.gartner.com/en/articles/gartner-predicts-criminal-cryptocurrency-transactions-will-drop-by-30-by-2024">https://www.gartner.com/en/articles/gartner-predicts-criminal-cryptocurrency-transactions-will-drop-by-30-by-2024</a> (predicting that
successful ransomware payments will drop in the near future because
of a number of developments including the transparency behind the
blockchain platforms that crypto tokens use). See also Jeff Benson,
Biden Administration Seeks to Expand Crypto Tracking to Fight
Ransomware, decrypt, available at <a href="https://decrypt.co/72582/biden-administration-seeks-expand-crypto-tracking-fight-ransomware">https://decrypt.co/72582/biden-administration-seeks-expand-crypto-tracking-fight-ransomware</a> (noting
that law enforcement agencies are putting additional resources into
crypto-asset tracking as ``the overwhelming majority of ransomware
attackers demand Bitcoin.'').
\8\ Sumathi Bala, Rise in online payments spurs questions over
cybersecurity and privacy, CNBC (July 1, 2021), available at <a href="https://www.cnbc.com/2021/07/01/new-digital-payments-spur-questions-over-consumer-privacy-security-.html">https://www.cnbc.com/2021/07/01/new-digital-payments-spur-questions-over-consumer-privacy-security-.html</a> (``Threats over cyber security have
become a growing concern as more people turn to online payments.'').
See also Vaibhav Goel, Deepa Mahajan, Marie-Claude Nadeau, Owen
Sperling, & Stephanie Yeh, New trends in US consumer digital
payments, McKinsey & Company (Oct. 2021), available at <a href="https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/new-trends-in-us-consumer-digital-payments">https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/new-trends-in-us-consumer-digital-payments</a>.
\9\ See The Cost of Third-Party Cybersecurity Risk Management,
Ponemon Institute LLC (Mar. 2019), available at <a href="https://info.cybergrx.com/ponemon-report">https://info.cybergrx.com/ponemon-report</a> (``Third-party breaches remain a
dominant security challenge for organizations, with over 63% of
breaches linked to a third party.''); see Digital Transformation &
Cyber Risk: What You Need to Know Stay Safe, Ponemon Sullivan
Privacy Report (June 2020), available at <a href="https://ponemonsullivanreport.com/2020/07/digital-transformation-cyber-risk-what-you-need-to-know-to-stay-safe/">https://ponemonsullivanreport.com/2020/07/digital-transformation-cyber-risk-what-you-need-to-know-to-stay-safe/</a> (although companies are
increasingly reliant on third parties, ``63% of respondents say
their organizations have difficulty ensuring there is a secure cloud
environment.''). See, e.g., Cost of Data Breach Report 2021, IBM
(July 2021), available at <a href="https://www.ibm.com/security/data-breach">https://www.ibm.com/security/data-breach</a>
(finding 15% of the initial cybersecurity attack vectors were caused
by cloud misconfiguration).
\10\ See Data Risk in the Third-Party Ecosystem: Second Annual
Study, Ponemon Institute LLC (Sept. 2017) available at <a href="https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/sep2017/cs2017_0340.pdf">https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/sep2017/cs2017_0340.pdf</a> (noting that ``Data breaches
caused by third parties are on the rise.''). See e.g., The Cost of
Third Party Cybersecurity Risk Management, Ponemon Institute LLC
(Mar. 2019), available at <a href="https://www.cybergrx.com/resources/research-and-insights/ebooks-and-reports/the-cost-of-third-party-cybersecurity-risk-management">https://www.cybergrx.com/resources/research-and-insights/ebooks-and-reports/the-cost-of-third-party-cybersecurity-risk-management</a> (``Over 53% of respondents have
experienced a third-party data breach in the past 2 years at an
average cost of $7.5 million.'').
\11\ See Cybersecurity: How do you rise above the waves of a
perfect storm?, supra note 6.
---------------------------------------------------------------------------
With an increase in the prevalence of cybersecurity incidents,
there is an increased risk of the effect of cybersecurity incidents on
the economy and registrants. Large scale cybersecurity attacks can have
systemic effects on the economy as a whole, including serious effects
on critical infrastructure and national security.\12\ Public companies
of all sizes and operating in all industries are susceptible to
cybersecurity incidents that can stem from intentional or unintentional
acts.\13\ Additionally, senior management and boards of directors of
public companies have become increasingly concerned about cybersecurity
threats.\14\ In a 2019 survey, chief executive officers of the largest
200 global companies rated ```national and corporate cybersecurity' as
the number one threat to business growth and the international economy
in the next 5 or 10 years.'' \15\
---------------------------------------------------------------------------
\12\ See Cyber-Risk Oversight 2020, Key Principles and Practical
Guidance for Corporate Boards (2020), nacd, available at <a href="http://isalliance.org/wp-content/uploads/2020/02/RD-3-2020_NACD_Cyber_Handbook__WEB_022020.pdf">http://isalliance.org/wp-content/uploads/2020/02/RD-3-2020_NACD_Cyber_Handbook__WEB_022020.pdf</a> (``According to the Global
Risks Report 2019, business leaders in advanced economies rank
cyberattacks among their top concerns. A serious attack can destroy
not only a company's financial health but also have systemic effects
causing harm to the economy as a whole and even national
security.''). See also The Cost of Malicious Cyber Activity to the
U.S. Economy (Feb. 16, 2018), White H. Council of Econ. Advisers,
available at <a href="https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf">https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf</a> (``An attack have significant spillover effects to
corporate partners, customers, and suppliers.'') and Testimony of
Robert Kolasky, Director, National Risk Management Center,
Cybersecurity and Infrastructure Security Agency (CISA), Securing
U.S. Surface Transportation from Cyber Attacks, U.S. House of
Representatives, Committee on Homeland Security (Feb. 26, 2019),
available at <a href="https://www.congress.gov/116/meeting/house/108931/witnesses/HHRG-116-HM07-Wstate-KolaskyB-20190226.pdf">https://www.congress.gov/116/meeting/house/108931/witnesses/HHRG-116-HM07-Wstate-KolaskyB-20190226.pdf</a>. See also Exec.
Order No. 14028, Improving the Nation's Cybersecurity, (May 12,
2021), 86 FR 26633, available at <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/</a>.
\13\ See Economic Report of the President: Together with The
Annual Report of the Council of Economic Advisers, (Mar. 2019),
available at <a href="https://www.govinfo.gov/content/pkg/ERP-2019/pdf/ERP-2019.pdf">https://www.govinfo.gov/content/pkg/ERP-2019/pdf/ERP-2019.pdf</a> (``Drawing on new data, we document that cyber
vulnerabilities are quite prevalent--even in Fortune 500 companies
with significant resources at their disposal.'').
\14\ NACD, Cyber-Risk Oversight2020, Key Principles and
Practical Guidance for Corporate Boards, supra note 12.
\15\ See EY CEO Imperative Study 2019, July 2019, available at
<a href="https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/growth/ey-ceo-imperative-exec-summ-single-spread-final.pdf">https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/growth/ey-ceo-imperative-exec-summ-single-spread-final.pdf</a>.
---------------------------------------------------------------------------
The cost to companies and their investors of cybersecurity
incidents is rising and doing so at an increasing rate.\16\ The types
of costs and adverse consequences that companies may incur or
experience as a result of a cybersecurity incident include the
following:\17\
---------------------------------------------------------------------------
\16\ See Cost of Data Breach Report 2021, IBM Security (July
2021), available at <a href="https://www.ibm.com/security/data-breach">https://www.ibm.com/security/data-breach</a> (``The
average total cost of a data breach increased by nearly 10% year
over year, the largest single year cost increase in the last seven
years.'').
\17\ See e.g., 2018 Interpretive Release; and Shinichi Kamiya,
Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, & Rene M. Stulz, Risk
management, firm reputation, and the impact of successful
cyberattacks on target firms, 139 J. of Fin. Econ. at 747, 749
(2021).
---------------------------------------------------------------------------
<bullet> Costs due to business interruption, decreases in
production, and delays in product launches;
<bullet> Payments to meet ransom and other extortion demands;
<bullet> Remediation costs, such as liability for stolen assets or
information, repairs of system damage, and incentives to customers or
business partners in an effort to maintain relationships after an
attack;
<bullet> Increased cybersecurity protection costs, which may
include increased insurance premiums and the costs of making
organizational changes, deploying additional personnel and protection
technologies, training employees, and engaging third-party experts and
consultants;
<bullet> Lost revenues resulting from intellectual property theft
and the unauthorized use of proprietary information or the failure to
retain or attract customers following an attack;
<bullet> Litigation and legal risks, including regulatory actions
by state and federal governmental authorities and non-U.S. authorities;
<bullet> Harm to employees and customers, violation of privacy
laws, and reputational damage that adversely affects customer or
investor confidence; and
<bullet> Damage to the company's competitiveness, stock price, and
long-term shareholder value.
As indicated by the examples enumerated above, the potential costs
and damage that can stem from a material cybersecurity incident are
extensive. Many smaller companies have been targets of cybersecurity
attacks so severe that the companies have gone out of business as a
result.\18\ These direct and indirect financial costs can negatively
impact stock prices,\19\ as well as short-term and long-term
shareholder value. To mitigate the potential costs and damage that can
result from a material cybersecurity incident, management and boards of
directors may establish and maintain effective risk management
strategies to address cybersecurity risks.\20\
---------------------------------------------------------------------------
\18\ See Testimony of Dr. Jane LeClair, Chief Operating Officer,
National Cybersecurity Institute at Excelsior College, before the
U.S. House of Representatives Committee on Small Business (Apr. 22,
2015), available at <a href="http://docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-SD003-U4.pdf">http://docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-SD003-U4.pdf</a> (``Fifty percent of
[small businesses] SMB's have been the victims of cyber attack and
over 60 percent of those attacked go out of business. Often SMB's do
not even know they have been attacked until it is too late.'').
\19\ See infra note 101, section III.A.
\20\ See NACD, Cyber-Risk Oversight2020, Key Principles and
Practical Guidance for Corporate Boards, supra note 12.
---------------------------------------------------------------------------
Recent research suggests that cybersecurity is among the most
critical governance-related issues for investors, especially U.S.
investors.\21\ Some
[[Page 16593]]
investors have been seeking information regarding registrants'
cybersecurity risk management, strategy, and governance practices,\22\
and there is evidence that the disclosure of cybersecurity incidents
can affect both a registrant's reputation and its share price.\23\
There may also be a positive correlation between a registrant's stock
price and investments in certain cybersecurity technology.\24\ Thus,
whether and how a registrant is managing cybersecurity risks could
impact an investor's return on investment and would be decision-useful
information in an investor's investment or considerations.
---------------------------------------------------------------------------
\21\ 2019 Responsible Investing Survey Key Findings, RBC Glob.
Asset Mgmt. (2019), available at <a href="https://global.rbcgam.com/sitefiles/live/documents/pdf/rbc-gam-responsible-investing-survey-key-findings-2019.pdf">https://global.rbcgam.com/sitefiles/live/documents/pdf/rbc-gam-responsible-investing-survey-key-findings-2019.pdf</a>. This was a study developed by RBC Global
Asset Management and BlueBay Asset Management LLP and distributed to
a range of constituencies including institutional asset owners,
consultants, clients, P&I Research Advisory Panel members, and
members of the Pensions & Investment database. Study participants
included individuals in Canada, Europe, Asia, and the United States.
Two thirds of all respondents identified cybersecurity as an issue
they were concerned about. The percentages were higher for the U.S.,
where out of all the environmental, social, and governance
(``ESG'')-issues, the highest percentage of respondents ranked
cybersecurity as the most concerning issue. See also J.P. Morgan
Global Research, Why is Cybersecurity Important to ESG Frameworks?,
J.P. Morgan Glob. Rsch. (Aug. 19, 2021), available at <a href="https://www.jpmorgan.com/insights/research/why-is-cybersecurity-important-to-esg">https://www.jpmorgan.com/insights/research/why-is-cybersecurity-important-to-esg</a>. See also Cyber security: Don't report on ESG without it
(2021), kpmg, available at <a href="https://advisory.kpmg.us/articles/2021/cyber-security-report-on-esg.html">https://advisory.kpmg.us/articles/2021/cyber-security-report-on-esg.html</a>.
\22\ See Harvard Law School Forum on Corporate Governance Blog,
posted by Steve W. Klemash, Jamie C. Smith, and Chuck Seets, What
Companies are Disclosing About Cybersecurity Risk and Oversight,
(posted Aug. 25, 2020) available at <a href="https://corpgov.law.harvard.edu/2020/08/25/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight">https://corpgov.law.harvard.edu/2020/08/25/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight</a> (``Because the threat of a breach cannot be
eliminated, some investors stressed that they are particularly
interested in resiliency, including how (and how quickly) companies
are detecting and mitigating cybersecurity incidents. Some are
asking their portfolio companies about specific cybersecurity
practices, such as whether the company has had an independent
assessment of its cybersecurity program, and some are increasingly
focusing on data privacy and whether companies are adequately
identifying and addressing related consumer concerns and expanding
regulatory requirements.'').
\23\ See Shinichi Kamiya, Jun-Koo Kang, Jungmin Kim, Andreas
Milidonis, & Rene M. Stulz, Risk management, firm reputation, and
the impact of successful cyberattacks on target firms, 139 J. of
Fin. Econ. at 747, 749 (2021); Georgios Spanos, and Lefteris
Angelis, The Impact of Information Security Events to the Stock
Market: A Systematic Literature Review, 58 Comput. & Sec. at 216,
226 (2016) (``Respectively, negative information security events, as
the security breaches, have a negative impact to the stock price of
the breached firms in the majority of the studies.'').
\24\ Id.
---------------------------------------------------------------------------
We believe investors would benefit from more timely and consistent
disclosure about material cybersecurity incidents, because of the
potential impact that such incidents can have on the financial
performance or position of a registrant. We also believe that investors
would benefit from greater availability and comparability of disclosure
by public companies across industries regarding their cybersecurity
risk management, strategy, and governance practices in order to better
assess whether and how companies are managing cybersecurity risks. The
proposal reflects these policy goals.
Specifically, in this release, we are proposing to amend Form 8-K
to require current disclosure of material cybersecurity incidents. We
are also proposing to add new Item 106 of Regulation S-K that would
require a registrant to: (1) Provide updated disclosure in periodic
reports about previously reported cybersecurity incidents; (2) describe
its policies and procedures, if any, for the identification and
management of risks from cybersecurity threats, including whether the
registrant considers cybersecurity risks as part of its business
strategy, financial planning, and capital allocation; and (3) require
disclosure about the board's oversight of cybersecurity risk,
management's role in assessing and managing such risk, management's
cybersecurity expertise, and management's role in implementing the
registrant's cybersecurity policies, procedures, and strategies. We
also are proposing to amend Item 407 of Regulation S-K to require
disclosure of whether any member of the registrant's board has
expertise in cybersecurity, and if so, the nature of such
expertise.\25\
---------------------------------------------------------------------------
\25\ Proposed Item 407(j) of Regulation S-K.
---------------------------------------------------------------------------
A. Existing Regulatory Framework and Interpretive Guidance Regarding
Cybersecurity Disclosure
Although there are no disclosure requirements in Regulation S-K or
S-X that explicitly refer to cybersecurity risks or incidents, in light
of the increasing significance of cybersecurity incidents, over the
past decade the Commission and staff have issued interpretive guidance
concerning the application of existing disclosure and other
requirements under the federal securities laws to cybersecurity risks
and incidents. In 2011, the Division of Corporation Finance issued
interpretive guidance (``2011 Staff Guidance''), providing the
Division's views concerning operating companies' disclosure obligations
relating to cybersecurity risks and incidents.\26\
---------------------------------------------------------------------------
\26\ See CF Disclosure Guidance: Topic No. 2--Cybersecurity
(Oct. 13, 2011), available at <a href="https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm">https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm</a>.
---------------------------------------------------------------------------
In 2018, recognizing the ``the frequency, magnitude and cost of
cybersecurity incidents,'' and the need for investors to be informed
about material cybersecurity risks and incidents in a timely manner,
the Commission issued interpretive guidance (``2018 Interpretive
Release'') to assist operating companies in determining when they may
be required to disclose information regarding cybersecurity risks and
incidents under existing disclosure rules.\27\ The 2018 Interpretive
Release reinforced and expanded upon the 2011 Staff Guidance and also
addressed the importance of cybersecurity policies and procedures, as
well as the application of insider trading prohibitions in the context
of cybersecurity.
---------------------------------------------------------------------------
\27\ See Commission Statement and Guidance on Public Company
Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) No.
33-10459 (Feb. 21, 2018) [83 FR 8166], available at <a href="https://www.sec.gov/rules/interp/2018/33-10459.pdf">https://www.sec.gov/rules/interp/2018/33-10459.pdf</a>. In 2018, the Commission
also issued a Report of Investigation pursuant to Section 21(a) of
the Exchange Act regarding certain cyber-related frauds perpetrated
against public companies and related internal accounting controls
requirements. The report cautioned that public companies subject to
the internal accounting controls requirements of Exchange Act
Section 13(b)(2)(B) should consider cyber threats when implementing
their internal accounting controls. The report is based on SEC
Enforcement Division investigations that focused on business email
compromises in which perpetrators posed as company executives or
vendors and used emails to dupe company personnel into sending large
sums to bank accounts controlled by the perpetrators. See Report of
Investigation Pursuant to 21(a) of the Securities Exchange Act of
1934 Regarding Certain Cyber-Related Frauds Perpetrated Against
Public Companies and Related Internal Accounting Controls
Requirements, SEC Release No. 34-84429 (Oct. 16, 2018).
---------------------------------------------------------------------------
Specifically, the 2018 Interpretive Release stated that companies
should consider the materiality of cybersecurity risks and incidents
when preparing the disclosure required in registration statements under
the Securities Act and Exchange Act, as well as in periodic and current
reports under the Exchange Act. The 2018 Interpretive Release
identified the following existing provisions in Regulations S-K and S-X
that may require disclosure about cybersecurity risks, governance, and
incidents: \28\
---------------------------------------------------------------------------
\28\ There are corresponding provisions in Form 20-F for foreign
private issuers.
---------------------------------------------------------------------------
<bullet> Item 105 of Regulation S-K (Risk Factors) \29\--the 2018
Interpretive Release sets forth issues for companies to consider in
evaluating the need for cybersecurity risk factor disclosure, including
risks arising in connection with acquisitions.
---------------------------------------------------------------------------
\29\ See also Item 3.D of Form 20-F. Please note that Risk
Factors was designated as Regulation S-K Item 503 at the time the
2018 Interpretive Release was issued.
---------------------------------------------------------------------------
<bullet> Item 303 of Regulation S-K (Management's Discussion and
Analysis of Financial Condition and Results of Operations) \30\--the
2018 Interpretive Release discusses how the costs of ongoing
cybersecurity efforts, the costs and other consequences of
cybersecurity incidents, and the risks of potential cybersecurity
incidents, among other matters, can inform a company's management's
discussion and analysis. The 2018 Interpretive Release describes a wide
array of potential costs that may be associated with cybersecurity
issues and incidents such as loss of intellectual property and
reputational harm.
---------------------------------------------------------------------------
\30\ See also Item 5 of Form 20-F.
---------------------------------------------------------------------------
<bullet> Item 101 of Regulation S-K (Description of Business)
\31\--the 2018 Interpretive Release notes that if cybersecurity
incidents or risks materially affect a company's products,
[[Page 16594]]
services, relationships with customers or suppliers, or competitive
conditions, the company must provide appropriate disclosure.
---------------------------------------------------------------------------
\31\ See also Item 4.B of Form 20-F.
---------------------------------------------------------------------------
<bullet> Item 103 of Regulation S-K (Legal Proceedings)--the 2018
Interpretive Release explains that this item may require disclosure
about material pending legal proceedings that relate to cybersecurity
issues.
<bullet> Item 407 of Regulation S-K (Corporate Governance) \32\--
the 2018 Interpretive Release clarifies that a company must describe
how the board administers its risk oversight function to the extent
that cybersecurity risks are material to a company's business,
including a description of the nature of the board's role in overseeing
the management of such risks.
---------------------------------------------------------------------------
\32\ This disclosure also is required by Item 7 of Schedule 14A.
---------------------------------------------------------------------------
<bullet> Regulation S-X Financial Disclosures--the 2018
Interpretive Release notes the Commission's expectation that a company
would design its financial reporting and control systems to provide
reasonable assurance that information about the range and magnitude of
the financial impacts of a cybersecurity incident would be incorporated
into its financial statements on a timely basis as that information
becomes available.
The 2018 Interpretive Release also addresses the importance of a
company's adoption of disclosure controls and procedures that cause the
company to appropriately record, process, summarize, and report to
investors material information related to cybersecurity risks and
incidents.\33\ In addition, the 2018 Interpretive Release reminds
companies, their directors, officers, and other corporate insiders of
the need to comply with insider trading laws in connection with
information about cybersecurity risks and incidents, including
vulnerabilities and breaches. The 2018 Interpretive Release further
discusses disclosure obligations that companies may have under 17 CFR
243 (``Regulation FD'') in connection with cybersecurity matters. The
guidance set forth in both the 2011 Staff Guidance and the 2018
Interpretive Release would remain in place if the Commission adopts the
proposed rule amendments described in this release.
---------------------------------------------------------------------------
\33\ See supra note 4, 2018 Interpretive Release at 8167
(``Crucial to a public company's ability to make any required
disclosure of cybersecurity risks and incidents in the appropriate
timeframe are disclosure controls and procedures that provide an
appropriate method of discerning the impact that such matters may
have on the company and its business, financial condition, and
results of operations, as well as a protocol to determine the
potential materiality of such risks and incidents.'').
---------------------------------------------------------------------------
B. Current Disclosure Practices
The majority of registrants reporting material cybersecurity
incidents do so in a Form 8-K, press release, or periodic report.
Although we are unable to determine the number of material
cybersecurity incidents that either are not being disclosed or not
being disclosed in a timely manner, the staff has observed certain
cybersecurity incidents that were reported in the media but that were
not disclosed in a registrant's filings. Further, the staff in the
Division of Corporation Finance's review of Form 8-K filings, as well
as Form 10-K and Form 20-F filings, has shown that the nature of the
cybersecurity incident disclosure varies widely. In these filings,
companies provide different levels of specificity regarding the cause,
scope, impact, and materiality of cybersecurity incidents. For example,
some companies provide a materiality analysis, disclose the estimated
costs of an incident, discuss their engagement of cybersecurity
professionals, and/or explain the remedial steps they have taken or are
taking in response to a cybersecurity incident, while others do not
provide such disclosure or provide much less detail in their disclosure
on these topics.
The staff has also observed that, while the majority of registrants
that are disclosing cybersecurity risks appear to be providing such
disclosures in the risk factor section of their annual reports on Form
10-K, the disclosures are sometimes blended with other unrelated
disclosures, which makes it more difficult for investors to locate,
interpret, and analyze the information provided. Further, the staff has
observed a divergence in these disclosures by industry and that,
smaller reporting companies generally provide less cybersecurity
disclosure as compared to larger registrants. One report noted a
disconnect in which the industries experiencing the most high profile
cybersecurity incidents provided disclosure with the ``least amount of
information.'' \34\ While cybersecurity risks and attacks may
disproportionately affect certain industries at different times and in
different ways, cybersecurity risks and threats may be dynamic; it is
foreseeable and perhaps even predictable that malicious actors will
adapt their strategies and target companies in any industry where there
are perceived vulnerabilities.
---------------------------------------------------------------------------
\34\ Moody's Investors Service, Research Announcement,
``Cybersecurity disclosures vary greatly in high-risk industries,''
(Oct. 3, 2019), available at <a href="https://www.moodys.com/research/Moodys-Cybersecurity-disclosures-vary-greatly-in-high-risk-industries--PBC_1196854">https://www.moodys.com/research/Moodys-Cybersecurity-disclosures-vary-greatly-in-high-risk-industries--PBC_1196854</a>.
---------------------------------------------------------------------------
Registrants' disclosures of both material cybersecurity incidents
and cybersecurity risk management and governance have improved since
the issuance of the 2011 Staff Guidance and the 2018 Interpretive
Release.\35\ Yet, current reporting may contain insufficient detail
\36\ and the staff has observed that such reporting is inconsistent,
may not be timely, and can be difficult to locate. We believe that
investors would benefit from enhanced disclosure about registrants'
cybersecurity incidents and cybersecurity risk management and
governance practices, including if the registrant's board of directors
has expertise in cybersecurity matters, and we are proposing rule
amendments to enhance disclosure in those areas.
---------------------------------------------------------------------------
\35\ Stephen Klemash and Jamie Smith, What companies are
disclosing about cybersecurity risk and oversight, EY, supra note 6
(EY researchers looked at cybersecurity-related disclosures in the
proxy statements and Form 10-K filings for the 76 ``Fortune 100''
companies that filed those documents from 2018 through May 31, 2020.
Their finding indicated that, ``[m]any companies are enhancing their
cybersecurity disclosures, with modest increases across most of the
disclosures tracked.'').
\36\ One report notes ``the average public company's cyber
disclosure contains insufficient detail for investors looking to
evaluate its risk profile and to understand which remediation
strategies, if any, it has implemented to control for the identified
risks.'' NACD et al., The State of Cyber-Risk Disclosures of Public
Companies at 3 (Mar. 2021) available at <a href="https://www.nacdonline.org/insights/publications.cfm?ItemNumber=71711">https://www.nacdonline.org/insights/publications.cfm?ItemNumber=71711</a>. This same report
contends (and cites other sources that argue) that the 2018
Interpretive Release alone has not resulted in adequate disclosures
to investors. Id. at 4.
---------------------------------------------------------------------------
We welcome feedback and encourage interested parties to submit
comments on any or all aspects of the proposed rule amendments. When
commenting, it would be most helpful if you include the reasoning
behind your position or recommendation.
II. Proposed Amendments
A. Overview
Cybersecurity risks and incidents can impact the financial
performance or position of a company. Consistent, comparable, and
decision-useful disclosures regarding a registrant's cybersecurity risk
management, strategy, and governance practices, as well as a
registrant's response to material cybersecurity incidents, would allow
investors to understand such risks and incidents, evaluate a
registrant's risk management and governance practices regarding those
risks, and better inform their investment and voting decisions.
The proposed rules would require current and periodic reporting of
[[Page 16595]]
material cybersecurity incidents. Additionally, we are proposing
amendments that would require periodic disclosures about a registrant's
policies and procedures to identify and manage cybersecurity risk,
including the impact of cybersecurity risks on the registrant's
business strategy; management's role and expertise in implementing the
registrant's cybersecurity policies, procedures, and strategies; and
the board of directors' oversight role, and cybersecurity expertise, if
any.
Specifically, we are proposing to:
<bullet> Amend Form 8-K to add Item 1.05 to require registrants to
disclose information about a cybersecurity incident within four
business days after the registrant determines that it has experienced a
material cybersecurity incident; \37\
---------------------------------------------------------------------------
\37\ Proposed Item 1.05.
---------------------------------------------------------------------------
<bullet> Amend Forms 10-Q and 10-K to require registrants to
provide updated disclosure relating to previously disclosed
cybersecurity incidents, as specified in proposed Item 106(d) of
Regulation S-K. We also propose to amend these forms to require
disclosure, to the extent known to management, when a series of
previously undisclosed individually immaterial cybersecurity incidents
has become material in the aggregate.\38\
---------------------------------------------------------------------------
\38\ Proposed Item 106(d) of Regulation S-K.
---------------------------------------------------------------------------
<bullet> Amend Form 10-K to require disclosure specified in
proposed Item 106 regarding:
[cir] A registrant's policies and procedures, if any, for
identifying and managing cybersecurity risks; \39\
---------------------------------------------------------------------------
\39\ Proposed Item 106(b) of Regulation S-K.
---------------------------------------------------------------------------
[cir] A registrant's cybersecurity governance, including the board
of directors' oversight role regarding cybersecurity risks; \40\ and
---------------------------------------------------------------------------
\40\ Proposed Item 106(c)(1) of Regulation S-K.
---------------------------------------------------------------------------
[cir] Management's role, and relevant expertise, in assessing and
managing cybersecurity related risks and implementing related policies,
procedures, and strategies.\41\
---------------------------------------------------------------------------
\41\ Proposed Item 106(c)(2) of Regulation S-K.
---------------------------------------------------------------------------
<bullet> Amend Item 407 of Regulation S-K to require disclosure
about if any member of the registrant's board of directors has
cybersecurity expertise.\42\
---------------------------------------------------------------------------
\42\ Proposed Item 407(j).
---------------------------------------------------------------------------
<bullet> Amend Form 20-F to require foreign private issuers
(``FPIs'') \43\ to provide cybersecurity disclosures in their annual
reports filed on that form that are consistent with the disclosure that
we propose to require in the domestic forms;
---------------------------------------------------------------------------
\43\ An FPI is any foreign issuer other than a foreign
government, except for an issuer that (1) has more than 50% of its
outstanding voting securities held of record by U.S. residents; and
(2) any of the following: (i) A majority of its officers or
directors are citizens or residents of the U.S.; (ii) more than 50%
of its assets are located in the U.S.; or (iii) its business is
principally administered in the U.S. See 17 CFR 230.405. See also 17
CFR 240.3b-4(c).
---------------------------------------------------------------------------
<bullet> Amend Form 6-K to add ``cybersecurity incidents'' as a
reporting topic; and
<bullet> Require that the proposed disclosures be provided in
Inline XBRL.\44\
---------------------------------------------------------------------------
\44\ Proposed Rule 405 of Regulation S-T.
---------------------------------------------------------------------------
B. Reporting of Cybersecurity Incidents on Form 8-K
1. Overview of Proposed Item 1.05 of Form 8-K
There is growing concern that material cybersecurity incidents \45\
are underreported \46\ and that existing reporting may not be
sufficiently timely.\47\ We are proposing to address these concerns by
requiring registrants to disclose material cybersecurity incidents in a
current report on Form 8-K within four business days after the
registrant determines that it has experienced a material cybersecurity
incident.\48\
---------------------------------------------------------------------------
\45\ See infra Section II.D.3 for a discussion on the proposed
definition of ``cybersecurity incident.''
\46\ See New Study Reveals Cybercrime May Be Widely
Underreported--Even When Laws Mandate Disclosure, ISACA Press
Release (June 3, 2019), available at <a href="https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2019/new-study-reveals-cybercrime-may-be-widely-underreported-even-when-laws-mandate-disclosure">https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2019/new-study-reveals-cybercrime-may-be-widely-underreported-even-when-laws-mandate-disclosure</a>. See also Gerrit De Vynck, Many ransomware attacks go
unreported. The FBI and Congress want to change that. Wash. Post
(July 27, 2021), available at <a href="https://www.washingtonpost.com/technology/2021/07/27/fbi-congress-ransomware-laws/">https://www.washingtonpost.com/technology/2021/07/27/fbi-congress-ransomware-laws/</a> (quoting Eric
Goldstein, executive assistant director at Cybersecurity &
Infrastructure Security Agency (CISA), a federal agency created in
2018 to protect the U.S. from cyberattacks, as stating, ``[w]e
believe that only about a quarter of ransomware intrusions are
actually reported[.]'').
\47\ See also infra section III.C(1)(a).
\48\ As will be discussed in Section II.D, we propose to define
the term ``cybersecurity incident'' as an unauthorized occurrence on
or conducted through a registrant's information systems that
jeopardizes the confidentiality, integrity, or availability of a
registrant's information systems or any information residing
therein. We also propose to define the term ``information systems''
as ``information resources, owned or used by the registrant,
including physical or virtual infrastructure controlled by such
information resources, or components thereof, organized for the
collection, processing, maintenance, use, sharing, dissemination, or
disposition of a registrant's information to maintain or support the
registrant's operations.'' The definitions of ``cybersecurity
incident'' and ``information systems'' as proposed in Item 106 of
Regulation S-K would also apply to such terms as used in proposed
Item 1.05 of Form 8-K.
---------------------------------------------------------------------------
Specifically, we propose to amend Form 8-K by adding new Item 1.05
that would require a registrant to disclose the following information
about a material cybersecurity incident, to the extent the information
is known at the time of the Form 8-K filing:
<bullet> When the incident was discovered and whether it is
ongoing;
<bullet> A brief description of the nature and scope of the
incident;
<bullet> Whether any data was stolen, altered, accessed, or used
for any other unauthorized purpose;
<bullet> The effect of the incident on the registrant's operations;
and
<bullet> Whether the registrant has remediated or is currently
remediating the incident.
We believe that this information would provide timely and relevant
disclosure to investors and other market participants (such as
financial analysts, investment advisers, and portfolio managers) and
enable them to assess the possible effects of a material cybersecurity
incident on the registrant, including any long-term and short-term
financial effects or operational effects. While registrants should
provide disclosure responsive to the enumerated items to the extent
known at the time of filing of the Form 8-K, we would not expect a
registrant to publicly disclose specific, technical information about
its planned response to the incident or its cybersecurity systems,
related networks and devices, or potential system vulnerabilities in
such detail as would impede the registrant's response or remediation of
the incident.\49\
---------------------------------------------------------------------------
\49\ See also 2018 Interpretive Release at Section II.A.1. Any
material information not known or disclosable at the time of the
Form 8-K filing would need to be updated in future periodic reports
in response to proposed Item 106(d) of Regulation S-K. See
discussion infra at Section II.C.1.
---------------------------------------------------------------------------
We believe that the proposed requirement to file an Item 1.05 Form
8-K within four business days after the registrant determines that it
has experienced a material cybersecurity incident would significantly
improve the timeliness of cybersecurity incident disclosures, as well
as provide investors with more standardized and comparable
disclosures.\50\
---------------------------------------------------------------------------
\50\ If a triggering determination occurs within four business
days before a registrant's filing of a Form 10-Q or Form 10-K, the
Commission staff generally has not objected to the registrant
satisfying its Form 8-K reporting obligation by including the
disclosure in Item 5 (Other Information) of Part II of its Form 10-Q
or Item 9B (Other Information) of its Form 10-K. See SEC Division of
Corporation Finance, Exchange Act Form 8-K Compliance and Disclosure
Interpretations (updated Dec. 22, 2017), Question 1, available at
<a href="https://www.sec.gov/divisions/corpfin/form8kfaq.htm">https://www.sec.gov/divisions/corpfin/form8kfaq.htm</a>.
---------------------------------------------------------------------------
We are proposing that the trigger for an Item 1.05 Form 8-K is the
date on which a registrant determines that a cybersecurity incident it
has experienced is material, rather than the date of discovery of the
incident, so as to focus the Form 8-K disclosure on
[[Page 16596]]
incidents that are material to investors. In some cases, the date of
the registrant's materiality determination may coincide with the date
of discovery of an incident, but in other cases the materiality
determination will come after the discovery date. If we adopt the date
of the materiality determination as the Form 8-K reporting trigger, as
proposed, we expect registrants to be diligent in making a materiality
determination in as prompt a manner as feasible. To address any concern
that some registrants may delay making such a determination to avoid a
disclosure obligation, Instruction 1 to proposed Item 1.05 states: ``a
registrant shall make a materiality determination regarding a
cybersecurity incident as soon as reasonably practicable after
discovery of the incident.''
What constitutes ``materiality'' for purposes of the proposed
cybersecurity incidents disclosure would be consistent with that set
out in the numerous cases addressing materiality in the securities
laws, including: TSC Industries, Inc. v. Northway, Inc.,\51\ Basic,
Inc. v. Levinson,\52\ and Matrixx Initiatives, Inc. v. Siracusano.\53\
Information is material if ``there is a substantial likelihood that a
reasonable shareholder would consider it important'' \54\ in making an
investment decision, or if it would have ``significantly altered the
`total mix' of information made available.'' \55\ In articulating this
materiality standard, the Supreme Court recognized that ``[d]oubts as
to the critical nature'' of the relevant information ``will be
commonplace.'' But ``particularly in view of the prophylactic purpose''
of the securities laws, and ``the fact that the content'' of the
disclosure ``is within management's control, it is appropriate that
these doubts be resolved in favor of those the statute is designed to
protect,'' namely investors.\56\
---------------------------------------------------------------------------
\51\ TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).
\52\ Basic Inc. v. Levinson, 485 U.S. 224, 232 (1988).
\53\ 563 U.S. 27 (2011).
\54\ TSC Indus. v. Northway, 426 U.S. at 449.
\55\ Id. See also the definition of ``material'' in Securities
Act Rule 405, 17 CFR 230.405; Exchange Act Rule 12b-2, 17 CFR
240.12b-2.
\56\ TSC Indus. v. Northway, 426 U.S. at 448.
---------------------------------------------------------------------------
A materiality analysis is not a mechanical exercise, nor should it
be based solely on a quantitative analysis of a cybersecurity incident.
Rather, registrants would need to thoroughly and objectively evaluate
the total mix of information, taking into consideration all relevant
facts and circumstances surrounding the cybersecurity incident,
including both quantitative and qualitative factors, to determine
whether the incident is material. Even if the probability of an adverse
consequence is relatively low, if the magnitude of the loss or
liability is high, the incident may still be material; materiality
``depends on the significance the reasonable investor would place on''
the information.\57\ Thus, under the proposed rules, when a
cybersecurity incident occurs, registrants would need to carefully
assess whether the incident is material in light of the specific
circumstances presented by applying a well-reasoned, objective approach
from a reasonable investor's perspective based on the total mix of
information.
---------------------------------------------------------------------------
\57\ Basic Inc. v. Levinson, 485 U.S. at 240.
---------------------------------------------------------------------------
2. Examples of Cybersecurity Incidents That May Require Disclosure
Pursuant to Proposed Item 1.05 of Form 8-K
The following is a non-exclusive list of examples of cybersecurity
incidents \58\ that may, if determined by the registrant to be
material, trigger the proposed Item 1.05 disclosure requirement:
---------------------------------------------------------------------------
\58\ As discussed infra in Section II.D, we propose to define
cybersecurity incident as ``an unauthorized occurrence on or
conducted through a registrant's information systems that
jeopardizes the confidentiality, integrity, or availability of a
registrant's information systems or any information residing
therein.'' We believe this term is sufficiently understood and broad
enough to encompass incidents that could adversely affect a
registrant's information systems or information residing therein,
such as gaining access without authorization or by exceeding
authorized access to such systems and information that could lead,
for example, to the modification or destruction of systems and
information. We also propose to define information systems as
``information resources, owned or used by the registrant, including
physical or virtual infrastructure controlled by such information
resources, or components thereof, organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition
of a registrant's information to maintain or support the
registrant's operations.'' The definitions of ``cybersecurity
incident'' and ``information systems'' as proposed in Item 106 of
Regulation S-K would also apply to such terms as used in proposed
Item 1.05 of Form 8-K. See infra note 80.
---------------------------------------------------------------------------
<bullet> An unauthorized incident that has compromised the
confidentiality, integrity, or availability of an information asset
(data, system, or network); or violated the registrant's security
policies or procedures. Incidents may stem from the accidental exposure
of data or from a deliberate attack to steal or alter data;
<bullet> An unauthorized incident that caused degradation,
interruption, loss of control, damage to, or loss of operational
technology systems;
<bullet> An incident in which an unauthorized party accessed, or a
party exceeded authorized access, and altered, or has stolen sensitive
business information, personally identifiable information, intellectual
property, or information that has resulted, or may result, in a loss or
liability for the registrant;
<bullet> An incident in which a malicious actor has offered to sell
or has threatened to publicly disclose sensitive company data; or
<bullet> An incident in which a malicious actor has demanded
payment to restore company data that was stolen or altered.
3. Ongoing Investigations Regarding Cybersecurity Incidents
Proposed Item 1.05 would not provide for a reporting delay when
there is an ongoing internal or external investigation related to the
cybersecurity incident. As the Commission stated in the 2018
Interpretive Release, while an ongoing investigation might affect the
specifics in the registrant's disclosure, ``an ongoing internal or
external investigation--which often can be lengthy--would not on its
own provide a basis for avoiding disclosures of a material
cybersecurity incident.'' \59\ Additionally, any such delay provision
could undermine the purpose of proposed Item 1.05 of providing timely
and consistent disclosure of cybersecurity incidents given that
investigations and resolutions of cybersecurity incidents may occur
over an extended period of time and may vary widely in timing and
scope. At the same time, we recognize that a delay in reporting may
facilitate law enforcement investigations aimed at apprehending the
perpetrators of the cybersecurity incident and preventing future
cybersecurity incidents. On balance, it is our current view that the
importance of timely disclosure of cybersecurity incidents for
investors would justify not providing for a reporting delay.
---------------------------------------------------------------------------
\59\ See supra note 33, 2018 Interpretive Release.
---------------------------------------------------------------------------
Many states have laws that allow companies to delay providing
public notice about a data breach incident or notifying certain
constituencies of such an incident if law enforcement determines that
notification will impede a civil or criminal investigation. A
registrant may have obligations to report incidents at the state or
federal level (to customers, consumer credit reporting entities, state
or federal regulators and law enforcement agencies, etc.); those
obligations are distinct from its obligations to disclose material
information to its shareholders under the federal securities laws. To
the extent that proposed Item 1.05 of Form 8-K would require disclosure
in a situation in which a state law delay provision
[[Page 16597]]
would excuse notification, there is a possibility a registrant would be
required to disclose the incident on Form 8-K even though it could
delay incident reporting under a particular state law. The proposed
Form 8-K requirement would advance the objective of timely reporting of
material cybersecurity incidents without the uncertainties of delay. It
is critical to investor protection and well-functioning, orderly, and
efficient markets that investors promptly receive information regarding
material cybersecurity incidents.
4. Proposed Amendment to Form 6-K
FPIs are not required to file current reports on Form 8-K.\60\
Instead, they are required to furnish on Form 6-K \61\ copies of all
information that the FPI: (i) Makes or is required to make public under
the laws of its jurisdiction of incorporation, (ii) files, or is
required to file under the rules of any stock exchange, or (iii)
otherwise distributes to its security holders. We are proposing to
amend General Instruction B of Form 6-K to reference material
cybersecurity incidents among the items that may trigger a current
report on Form 6-K. As with proposed Item 1.05 of Form 8-K, the
proposed change to Form 6-K is intended to provide timely cybersecurity
incident disclosure in a manner that is consistent with the general
purpose and use of Form 6-K.
---------------------------------------------------------------------------
\60\ See Exchange Act Rules 13a-11 and 15d-11 [17 CFR 240.13a-11
and 15d-11].
\61\ 17 CFR 249.306.
---------------------------------------------------------------------------
5. Proposed Amendments to the Eligibility Provisions of Form S-3 and
Form SF-3 and Safe Harbor Provision in Exchange Act Rules 13a-11 and
15d-11
We are proposing to amend General Instruction I.A.3.(b) of Form S-3
and General Instruction I.A.2 of Form SF-3 to provide that an untimely
filing on Form 8-K regarding new Item 1.05 would not result in loss of
Form S-3 or Form SF-3 eligibility. Under our existing rules, the
untimely filing on Form 8-K of certain specified items does not result
in loss of Form S-3 or Form SF-3 eligibility, so long as Form 8-K
reporting is current at the time the Form S-3 or SF-3 is filed. In the
past, when we have adopted new disclosure requirements that differed
from the traditional periodic reporting obligations of companies, we
have acknowledged concerns about the potentially harsh consequences of
the loss of Form S-3 or Form SF-3 eligibility, and addressed such
concerns by specifying that untimely filing of Forms 8-K relating to
certain topics would not result in the loss of Form S-3 or Form SF-3
eligibility.\62\ For the same reason, we believe that it is appropriate
to add proposed Item 1.05 to the list of Form 8-K items in General
Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form
SF-3.\63\
---------------------------------------------------------------------------
\62\ See Selective Disclosure and Insider Trading, Release No.
33-7881 (Aug. 15, 2000) [65 FR 51715 (Aug. 24, 2000)]; see also
Additional Form 8-K Disclosure Requirements and Acceleration of
Filing Date, Release No. 33-8400 (Mar. 16, 2004) [69 FR 15593 (Mar.
25, 2004)] (the ``Additional Form 8-K Disclosure Release'').
\63\ See Selective Disclosure and Insider Trading, Release No.
33-7881 (Aug. 15, 2000) [65 FR 51715]; Additional Form 8-K
Disclosure Release.
---------------------------------------------------------------------------
We are also proposing to amend Rules 13a-11(c) and 15d-11(c) under
the Exchange Act to include new Item 1.05 in the list of Form 8-K items
eligible for a limited safe harbor from liability under Section 10(b)
or Rule 10b-5 under the Exchange Act.\64\ In 2004, when the Commission
adopted the limited safe harbor, the Commission noted its view that the
safe harbor is appropriate if the triggering event for the Form 8-K
requires management to make a rapid materiality determination.\65\
While the registrant would need to file an Item 1.05 Form 8-K within
four business days after the registrant determines that it has
experienced a material cybersecurity incident, rather than within four
business days after its discovery of the incident, we expect management
to make a materiality determination about the incident as soon as
reasonably practicable after its discovery of the incident.\66\ In some
cases, we expect that management would make a materiality determination
coincident with discovering a cybersecurity incident and therefore file
a Form 8-K very soon after the registrant experiences or discovers a
cybersecurity incident. Therefore, we believe that it is appropriate to
extend the safe harbor to this proposed new item.
---------------------------------------------------------------------------
\64\ Rules 13a-11(c) and 15d-11(c) each provides that ``[n]o
failure to file a report on Form 8-K that is required solely
pursuant to Item 1.01, 1.02, 2.03, 2.04, 2.05, 2.06, 4.02(a),
5.02(e), or 6.03 of Form 8-K shall be deemed a violation of''
Section 10(b) of the Exchange Act or Rule 10b-5 thereunder.
\65\ Additional Form 8-K Disclosure Release at 69 FR 15607.
\66\ Instruction 1 to proposed Item 1.05 of Form 8-K.
---------------------------------------------------------------------------
Request for Comment
1. Would investors benefit from current reporting about material
cybersecurity incidents on Form 8-K? Does the proposed Form 8-K
disclosure requirement appropriately balance the informational needs of
investors and the reporting burdens on registrants?
2. Would proposed Item 1.05 require an appropriate level of
disclosure about a material cybersecurity incident? Would the proposed
disclosures allow investors to understand the nature of the incident
and its potential impact on the registrant, and make an informed
investment decision? Should we modify or eliminate any of the specified
disclosure items in proposed Item 1.05? Is there any additional
information about a material cybersecurity incident that Item 1.05
should require?
3. Could any of the proposed Item 1.05 disclosures or the proposed
timing of the disclosures have the unintentional effect of putting
registrants at additional risk of future cybersecurity incidents? If
so, how could we modify the proposal to avoid this effect? For example,
should registrants instead provide some of the disclosures in proposed
Item 1.05 in the registrant's next periodic report? If so, which
disclosures?
4. We are proposing to require registrants to file an Item 1.05
Form 8-K within four business days after the registrant determines that
it has experienced a material cybersecurity incident. Would the
proposed four-business day filing deadline provide sufficient time for
registrants to prepare the disclosures that would be required under
proposed Item 1.05? Should we modify the timeframe in which a
registrant must file a Form 8-K under proposed Item 1.05? If so, what
timeframe would be more appropriate for making these disclosures?
5. Should there be a different triggering event for the Item 1.05
disclosure, such as the registrant's discovery that it has experienced
a cybersecurity incident, even if the registrant has not yet been able
to determine the materiality of the incident? If so, which information
should be disclosed in Form 8-K based on a revised triggering event?
Should we instead require disclosure only if the expected costs arising
from a cybersecurity incident exceed a certain quantifiable threshold,
e.g., a percentage of the company's assets, equity, revenues or net
income or alternatively a precise number? If so, what would be an
appropriate threshold?
6. To what extent, if any, would the proposed Form 8-K incident
reporting obligation create conflicts for a registrant with respect to
other obligations of the registrant under federal or state law? How
would any such conflicting obligations arise, and what mechanisms could
the Commission use to ensure that registrants can comply with other
laws and regulations while providing these
[[Page 16598]]
timely disclosures to investors? What costs would registrants face in
determining the extent of a potential conflict?
7. Should any rule provide that the Commission shall allow
registrants to delay reporting of a cybersecurity incident where the
Attorney General requests such a delay from the Commission based on the
Attorney General's written determination that the delay is in the
interest of national security?
8. We are proposing to include an instruction that ``a registrant
shall make a materiality determination regarding a cybersecurity
incident as soon as reasonably practicable after discovery of the
incident.'' Is this instruction sufficient to mitigate the risk of a
registrant delaying a materiality determination? Should we consider
further guidance regarding the timing of a materiality determination?
Should we, for example, suggest examples of timeframes that would (or
would not), in most circumstances, be considered prompt?
9. Should certain registrants that would be within the scope of the
proposed requirements, but that are subject to other cybersecurity-
related regulations, or that would be included in the scope of the
Commission's recently-proposed cybersecurity rules \67\ for advisers
and funds, if adopted, be excluded from the proposed requirements? For
example, should the proposed Form 8-K reporting requirements or the
other disclosure requirements described in this release, as applicable,
exclude business development companies (``BDCs''),\68\ or the publicly
traded parent of an adviser?
---------------------------------------------------------------------------
\67\ See Cybersecurity Risk Management for Investment Advisers,
Registered Investment Companies, and Business Development Companies,
Release No. 34-94197 (Feb. 9, 2022) [87 FR 13524 (Mar. 9, 2022)]
(``Investment Management Cybersecurity Proposing Release''). In this
release, the Commission proposed new rules and rule amendments that
would require: (i) Registered investment advisers (``advisers'') and
investment companies (``funds'') to adopt and implement written
cybersecurity policies and procedures reasonably designed to address
cybersecurity risks; (ii) advisers to report significant
cybersecurity incidents affecting the adviser, or its fund or
private fund clients, to the Commission; (iii) advisers and funds to
provide cyber-related disclosures to clients and investors; and (iv)
advisers and funds to maintain certain records related to the
proposed cybersecurity risk management obligations and the
occurrence of cybersecurity incidents.
\68\ For purposes of this release, the terms ``public
companies,'' ``companies,'' and ``registrants,'' include issuers
that are business development companies as defined in section
2(a)(48) of the Investment Company Act of 1940 (``Investment Company
Act''), but not those investment companies registered under that
Act.
---------------------------------------------------------------------------
10. As described further below, we are proposing to define
cybersecurity incident to include an unauthorized occurrence on or
through a registrant's ``information systems,'' which is proposed to
include ``information resources owned or used by the registrant.''
Would registrants be reasonably able to obtain information to make a
materiality determination about cybersecurity incidents affecting
information resources that are used but not owned by them? Would a safe
harbor for information about cybersecurity incidents affecting
information resources that are used but not owned by a registrant be
appropriate? If so, why, and what would be the appropriate scope of a
safe harbor? What alternative disclosure requirements would provide
investors with information about cybersecurity incidents and risks that
affect registrants via information systems owned by third parties?
11. We are proposing that registrants be required to file rather
than permitted to furnish an Item 1.05 Form 8-K. Should we instead
permit registrants to furnish an Item 1.05 Form 8-K, such that the Form
8-K would not be subject to liability under Section 18 of the Exchange
Act unless the registrant specifically states that the information is
to be considered ``filed'' or incorporates it by reference into a
filing under the Securities Act or Exchange Act?
12. We note above a non-exclusive list of examples that would merit
disclosure under Item 1.05 of Form 8-K covers some, but not all, types
of material cybersecurity incidents. Are there additional examples we
should address? Should we include a non-exclusive list of examples in
Item 1.05 of Form 8-K?
13. Should we include Item 1.05 in the Exchange Act Rules 13a-11
and 15d-11 safe harbors from public and private claims under Exchange
Act Section 10(b) and Rule 10b-5 for failure to timely file a Form 8-K,
as proposed?
14. Should we include Item 1.05, as proposed, in the list of Form
8-K items where failure to timely file a Form 8-K will not result in
the loss of a registrant's eligibility to file a registration statement
on Form S-3 and Form SF-3?
C. Disclosure About Cybersecurity Incidents in Periodic Reports
1. Updates to Previously Filed Form 8-K Disclosure
Proposed Item 106(d)(1) of Regulation S-K would require registrants
to disclose any material changes, additions, or updates to information
required to be disclosed pursuant to Item 1.05 of Form 8-K in the
registrant's quarterly report filed with the Commission on Form 10-Q or
annual report filed with the Commission on Form 10-K for the period
(the registrant's fourth fiscal quarter in the case of an annual
report) in which the material change, addition, or update occurred.
We are proposing this requirement to balance the need for prompt
and timely disclosure regarding material cybersecurity incidents with
the fact that a registrant may not have complete information about a
material cybersecurity incident at the time it determines the incident
to be material. Proposed Item 106(d)(1) provides a means for investors
to receive regular updates regarding the previously reported incident
when and for so long as there are material changes, additions, or
updates during a given reporting period. For example, after filing the
initial Form 8-K disclosure, the registrant may become aware of
additional material information about the scope of the incident and
whether any data was stolen or altered; the proposed Item 106(d)(1)
disclosure requirements would allow investors to stay informed of such
developments.
The registrant also may be able to provide information about the
effect of the previously reported cybersecurity incident on its
operations as well as a description of remedial steps it has taken, or
plans to take, in response to the incident that was not available at
the time of the initial Form 8-K filing.\69\ In order to assist
registrants in developing updated incident disclosure in its periodic
reports, proposed Item 106(d)(1) provides the following non-exclusive
examples of the type of disclosure that should be provided, if
applicable:
---------------------------------------------------------------------------
\69\ Notwithstanding proposed Item 106(d)(1), there may be
situations where a registrant would need to file an amended Form 8-K
to correct disclosure from the initial Item 1.05 Form 8-K, such as
where that disclosure becomes inaccurate or materially misleading as
a result of subsequent developments regarding the incident. For
example, if the impact of the incident is determined after the
initial Item 1.05 Form 8-K filing to be significantly more severe
than previously disclosed, an amended Form 8-K may be required.
---------------------------------------------------------------------------
<bullet> Any material impact of the incident on the registrant's
operations and financial condition;
<bullet> Any potential material future impacts on the registrant's
operations and financial condition;
<bullet> Whether the registrant has remediated or is currently
remediating the incident; and
<bullet> Any changes in the registrant's policies and procedures as
a result of the cybersecurity incident, and how the incident may have
informed such changes.
[[Page 16599]]
2. Disclosure of Cybersecurity Incidents That Have Become Material in
the Aggregate
Proposed Item 106(d)(2) would require disclosure when a series of
previously undisclosed individually immaterial cybersecurity incidents
become material in the aggregate. Thus, registrants would need to
analyze related cybersecurity incidents for materiality, both
individually and in the aggregate. If such incidents become material in
the aggregate, registrants would need to disclose: When the incidents
were discovered and whether they are ongoing; a brief description of
the nature and scope of such incidents; whether any data was stolen or
altered; the impact of such incidents on the registrant's operations
and the registrant's actions; and whether the registrant has remediated
or is currently remediating the incidents.
While such incidents conceptually could take a variety of forms, an
example would be where one malicious actor engages in a number of
smaller but continuous cyber-attacks related in time and form against
the same company and collectively, they are either quantitatively or
qualitatively material, or both. Such incidents would need to be
disclosed in the periodic report for the period in which a registrant
has made a determination that they are material in the aggregate.
Request for Comment
15. Should we require registrants to disclose any material changes
or updates to information that would be disclosed pursuant to proposed
Item 1.05 of Form 8-K in the registrant's quarterly or annual report,
as proposed? Are there instances, other than to correct inaccurate or
materially misleading prior disclosures, when a registrant should be
required to update its report on Form 8-K or file another Form 8-K
instead of providing disclosure of material changes, additions, or
updates in a subsequent Form 10-Q or Form 10-K?
16. Should we require a registrant to provide disclosure on Form
10-Q or Form 10-K when a series of previously undisclosed and
individually immaterial cybersecurity incidents becomes material in the
aggregate, as proposed? Alternatively, should we require a registrant
to provide disclosure in Form 8-K, rather than in a periodic report, as
proposed, when a series of previously undisclosed and individually
immaterial cybersecurity incidents becomes material in the aggregate?
D. Disclosure of a Registrant's Risk Management, Strategy and
Governance Regarding Cybersecurity Risks
1. Risk Management and Strategy
Companies typically address significant risks to their businesses
by developing risk management systems, which may include policies and
procedures for identifying, assessing, and managing the risks. These
policies and procedures may then be subject to oversight by a company's
management and board.\70\ Policies and procedures reasonably designed
to provide oversight, risk assessments, and incident responses may be
adopted to help prevent or mitigate cyber-attacks and potentially
prevent future attacks. Staff in the Division of Corporation Finance
has observed that most of the registrants that disclosed a
cybersecurity incident in 2021 did not describe their cybersecurity
risk oversight and related policies and procedures. Some of these
registrants provided only general disclosures, such as a reference to
cybersecurity as one of the risks overseen by the board or a board
committee.
---------------------------------------------------------------------------
\70\ See Martin Lipton, Wachtell, Lipton, Rosen & Katz,
Spotlight on Boards 2018, Harv. L. Sch. F. on Corp. Governance (May
31, 2018), available at <a href="https://corpgov.law.harvard.edu/2018/05/31/spotlight-on-boards-2018">https://corpgov.law.harvard.edu/2018/05/31/spotlight-on-boards-2018</a> (one of the board's responsibilities is to,
``[o]versee and understand the corporation's risk management and
compliance efforts and how risk is taken into account in the
corporation's business decision-making; respond to red flags if and
when they arise.'').
---------------------------------------------------------------------------
We are proposing Item 106(b) of Regulation S-K to require
registrants to provide more consistent and informative disclosure
regarding their cybersecurity risk management and strategy. We believe
that disclosure of the relevant policies and procedures, to the extent
a registrant has established any, would benefit investors by providing
greater transparency as to the registrant's strategies and actions to
manage cybersecurity risks. For example, proposed disclosure about
whether the registrant has a cybersecurity risk assessment program and
undertakes activities designed to prevent, detect, and minimize effects
of cybersecurity incidents can improve an investor's understanding of
the registrant's cybersecurity risk profile. Given that a significant
number of cybersecurity incidents pertain to third party service
providers, the proposed rules would require disclosure concerning a
registrant's selection and oversight of third-party entities as
well.\71\
---------------------------------------------------------------------------
\71\ See Stephen Klemash and Jamie Smith, What companies are
disclosing about cybersecurity risk and oversight, EY, supra note 6
(``Around a third of the disclosed data breaches related to cyber
attacks of third-party service providers.'').
---------------------------------------------------------------------------
Additionally, cybersecurity risks may have an impact on a
registrant's business strategy, financial outlook, or financial
planning. Across industries, companies increasingly rely on information
technology, collection of data, and use of digital payments as critical
components of their business model and strategy. Their exposure to
cybersecurity risks and previous cybersecurity incidents may affect
these critical components, informing changes in their business model,
financial condition, financial planning, and allocation of capital. For
example, a company with a business model that relies highly on
collecting and safeguarding sensitive and personally identifiable
information from its customers may consider raising additional capital
to invest in enhanced cybersecurity protection, improvements in its
information security infrastructure, or employee cybersecurity
training. Another company may examine the risks and decide that its
business model should be adapted to minimize its collection of
sensitive and personally identifiable information in order to reduce
its risk exposure. These strategic decisions have implications for the
company's financial planning and future financial performance.
Disclosure about the impact of cybersecurity risks on business strategy
would enable investors to assess whether companies will become more
resilient or conversely, more vulnerable to cybersecurity risks in the
future.
We also propose requiring disclosure of whether cybersecurity
related risk and previous incidents have affected or are reasonably
likely to affect the registrant's results of operations or financial
condition. Investors would likely want to understand the financial
impacts of cybersecurity risks and previous cybersecurity incidents in
order to understand how these risks and incidents affect the company's
financial performance or position, and thus the return on their
investment. For example, a company that has previously experienced a
cybersecurity incident may plan to provide compensation to consumers or
it may anticipate regulatory fines or legal judgments as a result of
the incident. These financial impacts would help investors understand
the degree to which cybersecurity risks and incidents could affect the
company's financial performance or position.
Proposed Item 106(b) would therefore require registrants to
disclose its
[[Page 16600]]
policies and procedures, if it has any, to identify and manage
cybersecurity risks and threats, including: Operational risk;
intellectual property theft; fraud; extortion; harm to employees or
customers; violation of privacy laws and other litigation and legal
risk; and reputational risk. Specifically, proposed Item 106(b) of
Regulation S-K would require disclosure, as applicable, of whether:
\72\
---------------------------------------------------------------------------
\72\ See proposed Item 106(b).
---------------------------------------------------------------------------
<bullet> The registrant has a cybersecurity risk assessment program
and if so, provide a description of such program;
<bullet> The registrant engages assessors, consultants, auditors,
or other third parties in connection with any cybersecurity risk
assessment program;
<bullet> The registrant has policies and procedures to oversee and
identify the cybersecurity risks associated with its use of any third-
party service provider (including, but not limited to, those providers
that have access to the registrant's customer and employee data),
including whether and how cybersecurity considerations affect the
selection and oversight of these providers and contractual and other
mechanisms the company uses to mitigate cybersecurity risks related to
these providers;
<bullet> The registrant undertakes activities to prevent, detect,
and minimize effects of cybersecurity incidents;
<bullet> The registrant has business continuity, contingency, and
recovery plans in the event of a cybersecurity incident;
<bullet> Previous cybersecurity incidents have informed changes in
the registrant's governance, policies and procedures, or technologies;
<bullet> Cybersecurity related risk and incidents have affected or
are reasonably likely to affect the registrant's results of operations
or financial condition and if so, how; and
<bullet> Cybersecurity risks are considered as part of the
registrant's business strategy, financial planning, and capital
allocation and if so, how.
2. Governance
Disclosure regarding board oversight of a registrant's
cybersecurity risk and the inclusion or exclusion of management from
the oversight of cybersecurity risks and the implementation of related
policies, procedures, and strategies impacts an investor's ability to
understand how a registrant prepares for, prevents, or responds to
cybersecurity incidents.\73\ Accordingly, proposed Item 106(c) would
require disclosure of a registrant's cybersecurity governance,
including the board's oversight of cybersecurity risk and a description
of management's role in assessing and managing cybersecurity risks, the
relevant expertise of such management, and its role in implementing the
registrant's cybersecurity policies, procedures, and strategies.\74\
---------------------------------------------------------------------------
\73\ See John F. Saverese et al., Cybersecurity Oversight and
Defense--A Board and Management Imperative, Harv. L.Sch. F. on Corp.
Governance (May 14, 2021), available at <a href="https://corpgov.law.harvard.edu/2021/05/14/cybersecurity-oversight-and-defense-a-board-and-management-imperative/">https://corpgov.law.harvard.edu/2021/05/14/cybersecurity-oversight-and-defense-a-board-and-management-imperative/</a>.
\74\ Proposed amendments to Form 10-K clarify that an asset-
backed issuer (as defined in Item 1101 of Regulation AB) that does
not have any executive officers or directors may omit the
information required by 17 CFR 229.106(c) (Item 106(c) of Regulation
S-K).
---------------------------------------------------------------------------
Specifically, as it pertains to the board's oversight of
cybersecurity risk, disclosure required by proposed Item 106(c)(1)
would include a discussion, as applicable, of the following: \75\
---------------------------------------------------------------------------
\75\ See proposed Item 106(c)(1). In the case of a FPI with a
two-tier board of directors, proposed Instruction 1 to Item 106(c)
clarifies that the term ``board of directors'' means the supervisory
or non-management board. In the case of a FPI meeting the
requirements of 17 CFR 240.10A-3(c)(3), for purposes of proposed
Item 106(c), the term, ``board of directors'' means the registrant's
board of auditors (or similar body) or statutory auditors, as
applicable.
---------------------------------------------------------------------------
<bullet> Whether the entire board, specific board members or a
board committee is responsible for the oversight of cybersecurity
risks;
<bullet> The processes by which the board is informed about
cybersecurity risks, and the frequency of its discussions on this
topic; and
<bullet> Whether and how the board or board committee considers
cybersecurity risks as part of its business strategy, risk management,
and financial oversight.
This proposed disclosure about the board's oversight would inform
investors about the role of the board in cybersecurity risk management,
which may help inform their investment and voting decisions. Proposed
Item 106(c)(1) would also reinforce the 2018 Interpretive Release,
which states that the board's role in overseeing cybersecurity risks
should be disclosed if ``cybersecurity risks are material to a
company's business'' and that such disclosures should address how a
board ``engages with management on cybersecurity issues'' and
``discharg[es] its [cybersecurity] risk oversight responsibility.''
\76\
---------------------------------------------------------------------------
\76\ See 2018 Interpretive Release.
---------------------------------------------------------------------------
Proposed Item 106(c)(2) would require a description of management's
role in assessing and managing cybersecurity-related risks and in
implementing the registrant's cybersecurity policies, procedures, and
strategies. This description would include, but not be limited to, the
following information: \77\
---------------------------------------------------------------------------
\77\ See proposed Item 106(c)(2).
---------------------------------------------------------------------------
<bullet> Whether certain management positions or committees are
responsible for measuring and managing cybersecurity risk, specifically
the prevention, mitigation, detection, and remediation of cybersecurity
incidents, and the relevant expertise of such persons or members;
<bullet> Whether the registrant has a designated chief information
security officer,\78\ or someone in a comparable position, and if so,
to whom that individual reports within the registrant's organizational
chart, and the relevant expertise \79\ of any such persons;
---------------------------------------------------------------------------
\78\ The chief information security officer may be responsible
for identifying and monitoring cybersecurity risks, communicating
with senior management and the registrant's business units about
acceptable risk levels, developing risk mitigation strategies, and
implementing a security framework that protects the registrant's
digital assets. The Role of the CISO and the Digital Security
Landscape, isaca j. vol. 2, at 22, 23-29 (2019) available at <a href="https://www.isaca.org/resources/isaca-journal/issues/2019/volume-2/the-role-of-the-ciso-and-the-digital-security-landscape">https://www.isaca.org/resources/isaca-journal/issues/2019/volume-2/the-role-of-the-ciso-and-the-digital-security-landscape</a>.
\79\ Proposed Instruction 2 to Item 106(c) provides guidance
that ``expertise'' in Item 106(c)(2)(i) and (ii) may include, for
example: Prior work experience in cybersecurity; any relevant
degrees or certifications; any knowledge, skills, or other
background in cybersecurity.
---------------------------------------------------------------------------
<bullet> The processes by which such persons or committees are
informed about and monitor the prevention, mitigation, detection, and
remediation of cybersecurity incidents; and
<bullet> Whether and how frequently such persons or committees
report to the board of directors or a committee of the board of
directors on cybersecurity risk.
This proposed disclosure of how a registrant's management assesses
and implements policies, procedures, and strategies to mitigate
cybersecurity risks would be of importance to investors both as they
understand how registrants are planning for cybersecurity risks and as
they make decisions as to how best to allocate their capital.
3. Definitions
Proposed Item 106(a) defines the terms ``cybersecurity incident,''
``cybersecurity threat,'' and ``information systems,'' as used in
proposed Item 106 and proposed Form 8-K Item 1.05 as follows: \80\
---------------------------------------------------------------------------
\80\ See proposed Item 106(a). These three terms are derived
from a number of established sources. See Presidential Policy
Directive--United States Cyber Incident Coordination (July 26, 2016)
(``PPD-41''); 6 U.S.C. 1501 (2021); 44 U.S.C. 3502 (2021); 44 U.S.C.
3552 (2021); see also National Institute of Standards and Technology
(NIST), Computer Security Resource Center Glossary (last visited
Feb. 6, 2022), available at <a href="https://csrc.nist.gov/glossary">https://csrc.nist.gov/glossary</a> (``NIST
Glossary''). The proposed definitions also are consistent with
proposed definitions in the Investment Management Cybersecurity
Proposing Release. See Investment Management Cybersecurity Proposing
Release at notes 27, 28, and 30. We believe the proposed terms are
sufficiently precise for registrants to understand and use in
connection with the proposed rules. Use of common terms is intended
to facilitate compliance and reduce regulatory burdens. Using common
terms and similar definitions with the Investment Management
Cybersecurity Proposing Release along with other federal
cybersecurity rulemakings is intended to facilitate compliance and
reduce regulatory burdens.
---------------------------------------------------------------------------
[[Page 16601]]
<bullet> Cybersecurity incident means an unauthorized occurrence on
or conducted through a registrant's information systems that
jeopardizes the confidentiality, integrity, or availability of a
registrant's information systems or any information residing therein.
<bullet> Cybersecurity threat means any potential occurrence that
may result in, an unauthorized effort to adversely affect the
confidentiality, integrity or availability of a registrant's
information systems or any information residing therein.
<bullet> Information systems means information resources, owned or
used by the registrant, including physical or virtual infrastructure
controlled by such information resources, or components thereof,
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of the registrant's information to
maintain or support the registrant's operations.
What constitutes a ``cybersecurity incident'' for purposes of our
proposal should be construed broadly and may result from any one or
more of the following: An accidental exposure of data, a deliberate
action or activity to gain unauthorized access to systems or to steal
or alter data, or other system compromises or data breaches.\81\
---------------------------------------------------------------------------
\81\ See supra Section II.B.2, for examples of cybersecurity
incidents that may require disclosure pursuant to proposed Item 1.05
of Form 8-K.
---------------------------------------------------------------------------
Request for Comment
17. Should we adopt Item 106(b) and (c) as proposed? Are there
other aspects of a registrant's cybersecurity policies and procedures
or governance that should be required to be disclosed under Item 106,
to the extent that a registrant has any policies and procedures or
governance? Conversely, should we exclude any of the proposed Item 106
disclosure requirements?
18. Are the proposed definitions of the terms ``cybersecurity
incident,'' ``cybersecurity threat,'' and ``information systems,'' in
Item 106(a) appropriate or should they be revised? Are there other
terms used in the proposed amendments that we should define?
19. The proposed rule does not define ``cybersecurity.'' We could
define the term to mean, for example: ``any action, step, or measure to
detect, prevent, deter, mitigate, or address any cybersecurity threat
or any potential cybersecurity threat.'' Would defining
``cybersecurity'' in proposed Item 106(a) be helpful? Why or why not?
If defining this term would be helpful, is the definition provided
above appropriate, or is there another definition that would better
define ``cybersecurity''?
20. Should we require the registrant to specify whether any
cybersecurity assessor, consultant, auditor, or other service that it
relies on is through an internal function or through an external third-
party service provider? Would such a disclosure be useful for
investors?
21. As proposed, a registrant that has not established any
cybersecurity policies or procedures would not have to explicitly state
that this is the case. If applicable, should a registrant have to
explicitly state that it has not established any cybersecurity policies
and procedures?
22. Are there concerns that certain disclosures required under Item
106 would have the potential effect of undermining a registrant's
cybersecurity defense efforts or have other potentially adverse effects
by highlighting a registrant's lack of policies and procedures related
to cybersecurity? If so, how should we address these concerns while
balancing investor need for a sufficient description of a registrant's
policies and procedures for purposes of their investment decisions?
23. Should we exempt certain categories of registrants from
proposed Item 106, such as smaller reporting companies, emerging growth
companies, or FPIs? If so, which ones and why? How would any exemption
impact investor assessments and comparisons of the cybersecurity risks
of registrants? Alternatively, should we provide for scaled disclosure
requirements by any of these categories of registrants, and if so, how?
24. Should we provide for delayed compliance or other transition
provisions for proposed Item 106 for certain categories of registrants,
such as smaller reporting companies, emerging growth companies, FPIs,
or asset-backed securities issuers? Proposed Item 106(b), which would
require companies to provide disclosures regarding existing policies
and procedures for the identification and management of cybersecurity
incidents, would be required in annual reports. Should the proposed
Item 106(b) disclosures also be required in registration statements
under the Securities Act and the Exchange Act?
25. To what extent would disclosure under proposed Item 106 overlap
with disclosure required under Item 407(h) of Regulation S-K (``Board
leadership structure and role in oversight'') with respect to board
oversight of cybersecurity risks? To the extent there is significant
overlap, should we expressly provide for the use of hyperlinks or
cross-references in Item 106? Are there other approaches that would
effectively decrease duplicative disclosure without being cumbersome
for investors?
E. Disclosure Regarding the Board of Directors' Cybersecurity Expertise
Cybersecurity is already among the top priorities of many boards of
directors \82\ and cybersecurity incidents and other risks are
considered one of the largest threats to companies.\83\ Accordingly,
investors may find disclosure of whether any board members have
cybersecurity expertise to be important as they consider their
investment in the registrant as well as their votes on the election of
directors of the registrant.
---------------------------------------------------------------------------
\82\ NACD, 2019-2020 NACD Public Company Governance Survey,
available at <a href="https://corpgov.law.harvard.edu/wp-content/uploads/2020/01/2019-2020-Public-Company-Survey.pdf">https://corpgov.law.harvard.edu/wp-content/uploads/2020/01/2019-2020-Public-Company-Survey.pdf</a>.
\83\ See id.
---------------------------------------------------------------------------
We propose to amend Item 407 of Regulation S-K by adding paragraph
(j) to require disclosure about the cybersecurity expertise of members
of the board of directors of the registrant, if any. If any member of
the board has cybersecurity expertise, the registrant would have to
disclose the name(s) of any such director(s), and provide such detail
as necessary to fully describe the nature of the expertise.\84\
---------------------------------------------------------------------------
\84\ Consistent with proposed Instruction 1 to Item 106(c), we
are proposing an instruction to Item 407(j) to clarify that in the
case of a FPI with a two-tier board of directors the term ``board of
directors'' means the supervisory or non-management board. In the
case of a FPI meeting the requirements of 17 CFR 240.10A-3(c)(3),
for purposes of 407(j), the term, ``board of directors'' means the
registrant's board of auditors (or similar body) or statutory
auditors, as applicable. See proposed Instruction 2 to Item 407(j).
Likewise, proposed General Instruction J to Form 10-K permits an
asset-backed issuer that does not have any executive officers or
directors to omit the Item 407 disclosure required by Form 10-K as
these entities are generally passive pools of assets and are subject
to substantially different reporting requirements than operating
companies. Similarly, such entities would be permitted to omit the
proposed Item 407(j) disclosure from Form 10-K under General
Instruction J for the same reason.
---------------------------------------------------------------------------
The proposed requirements would build upon the existing disclosure
requirements in Item 401(e) of Regulation S-K (business experience of
directors) and Item 407(h) of Regulation
[[Page 16602]]
S-K (board risk oversight). The proposed Item 407(j) disclosure would
be required in a registrant's proxy or information statement when
action is to be taken with respect to the election of directors, and in
its Form 10-K.
Proposed Item 407(j) would not define what constitutes
``cybersecurity expertise,'' given that such expertise may cover
different experiences, skills, and tasks. Proposed Item 407(j)(1)(ii)
does, however, include the following non-exclusive list of criteria
that a registrant should consider in reaching a determination on
whether a director has expertise in cybersecurity:
<bullet> Whether the director has prior work experience in
cybersecurity, including, for example, prior experience as an
information security officer, security policy analyst, security
auditor, security architect or engineer, security operations or
incident response manager, or business continuity planner;
<bullet> Whether the director has obtained a certification or
degree in cybersecurity; and
<bullet> Whether the director has knowledge, skills, or other
background in cybersecurity, including, for example, in the areas of
security policy and governance, risk management, security assessment,
control evaluation, security architecture and engineering, security
operations, incident handling, or business continuity planning.
Proposed Item 407(j)(2) would state that a person who is determined
to have expertise in cybersecurity will not be deemed an expert for any
purpose, including, without limitation, for purposes of Section 11 of
the Securities Act (15 U.S.C. 77k),\85\ as a result of being designated
or identified as a director with expertise in cybersecurity pursuant to
proposed Item 407(j).\86\ This proposed safe harbor is intended to
clarify that Item 407(j) would not impose on such person any duties,
obligations, or liability that are greater than the duties,
obligations, and liability imposed on such person as a member of the
board of directors in the absence of such designation or
identification.\87\ This provision should alleviate such concerns for
cybersecurity experts considering board service. Conversely, we do not
intend for the identification of a cybersecurity expert on the board to
decrease the duties and obligations or liability of other board
members.\88\
---------------------------------------------------------------------------
\85\ 15 U.S.C. 77k.
\86\ See proposed Item 407(j)(3)(i).
\87\ See proposed Item 407(j)(3)(ii).
\88\ See proposed Item 407(j)(3)(iii).
---------------------------------------------------------------------------
Request for Comment
26. Would proposed Item 407(j) disclosure provide information that
investors would find useful? Should it be modified in any way?
27. Should we require disclosure of the names of persons with
cybersecurity expertise on the board of directors, as currently
proposed in Item 407(j)(1)? Would a requirement to name such persons
have the unintended effect of deterring persons with this expertise
from serving on a board of directors?
28. When a registrant does not have a person with cybersecurity
expertise on its board of directors, should the registrant be required
to state expressly that this is the case under proposed Item 407(j)(1)?
As proposed, we would not require a registrant to make such an explicit
statement.
29. Proposed Item 407(j) would require registrants to describe
fully the nature of a board member's expertise in cybersecurity without
mandating specific disclosures. Is there particular information that we
should instead require a registrant to disclose with respect to a board
member's expertise in cybersecurity?
30. As proposed, Item 407(j)(1) includes a non-exclusive list of
criteria that a company should consider in determining whether a
director has expertise in cybersecurity. Are these factors for
registrants to consider useful in determining cybersecurity expertise?
Should the list be revised, eliminated, or supplemented?
31. Would the Item 407(j) disclosure requirements have the
unintended effect of undermining a registrant's cybersecurity defense
efforts or otherwise impose undue burdens on registrants? If so, how?
32. Should 407(j) disclosure of board expertise be required in an
annual report and proxy or information statement, as proposed?
33. To what extent would disclosure under proposed Item 407(j)
overlap with disclosure required under Item 401(e) of Regulation S-K
with respect to the business experience of directors? Are there
alternative approaches that would avoid duplicative disclosure without
being cumbersome for investors?
34. As proposed, Item 407(j) does not include a definition of the
term ``expertise'' in the context of cybersecurity? Should Item 407(j)
define the term ``expertise''? If so, how should we define the term?
35. Should certain categories of registrants, such as smaller
reporting companies, emerging growth companies, or FPIs, be excluded
from the proposed Item 407(j) disclosure requirement? How would any
exclusion affect the ability of investors to assess the cybersecurity
risk of a registrant or compare such risk among registrants?
36. Should we adopt the proposed Item 407(j)(2) safe harbor to
clarify that a director identified as having expertise in cybersecurity
would not have any increased level of liability under the federal
securities laws as a result of such identification? Are there
alternatives we should consider?
37. As proposed, disclosure under Item 407(j) would be required in
a proxy or information statement. Should we require the disclosure
under Item 407(j) to appear in a registrant's proxy or information
statement regardless of whether the registrant is relying on General
Instruction G(3)? Is this information relevant to a security holder's
decision to vote for a particular director?
F. Periodic Disclosure by Foreign Private Issuers
We propose to amend Form 20-F to add Item 16J that would require an
FPI to include in its annual report on Form 20-F the same type of
disclosure that we propose in Items 106 and 407(j) of Regulation S-K
and that would be required in periodic reports filed by domestic
registrants. One difference is that while domestic registrants would be
required to include the proposed Item 407(j) disclosure about board
expertise in both their annual reports and proxy or information
statements, FPIs are not subject to Commission rules for proxy or
information statement filings and thus, would only be required to
include this disclosure in their annual reports.\89\
---------------------------------------------------------------------------
\89\ Exchange Act Rule 3a12-3(b) [17 CFR 240.3a12-3(b)].
---------------------------------------------------------------------------
With respect to incident disclosure, where an FPI has previously
reported an incident on Form 6-K, the proposed amendments would require
an update regarding such incidents, consistent with proposed Item
106(d)(1) of Regulation S-K.\90\ We are also proposing to amend Form
20-F to require FPIs to disclose on an annual basis information
regarding any previously undisclosed material cybersecurity incidents
that have occurred during the reporting period, including a series of
previously undisclosed individually immaterial cybersecurity incidents
that has become material in the aggregate.\91\
---------------------------------------------------------------------------
\90\ See proposed Item 16J(d)(1).
\91\ See proposed Item 16J(d)(2).
---------------------------------------------------------------------------
The Commission created Form 40-F in connection with its
establishment of a multijurisdictional disclosure system (``MJDS'').
This system generally
[[Page 16603]]
permits eligible Canadian FPIs to use Canadian disclosure standards and
documents to satisfy the Commission's registration and disclosure
requirements. Accordingly, we are not proposing prescriptive
cybersecurity disclosure requirements for Form 40-F filers.
Request for Comment
38. Should we amend Form 20-F, as proposed to require disclosure
regarding cybersecurity risk management and strategy, governance, and
incidents? Additionally, should we amend Form 6-K, as proposed, to add
``cybersecurity incidents'' as a reporting topic? Are there unique
considerations with respect to FPIs in these contexts?
39. We are not proposing any changes to Form 40-F. Should we
instead require an MJDS issuer filing an annual report on Form 40-F to
comply with the Commission's specific proposed cybersecurity-related
disclosure requirements in the same manner as Form 10-K or Form 20-F
filers?
G. Structured Data Requirements
We are proposing to require registrants to tag the information
specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of
Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation
S-T (17 CFR 232.405) and the EDGAR Filer Manual.\92\ The proposed
requirements would include block text tagging of narrative disclosures,
as well as detail tagging of quantitative amounts disclosed within the
narrative disclosures. Inline XBRL is both machine-readable and human-
readable, which improves the quality and usability of XBRL data for
investors.\93\
---------------------------------------------------------------------------
\92\ This tagging requirement would be implemented by including
a cross-reference to Rule 405 of Regulation S-T in proposed Item
1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K, and by
revising Rule 405(b) of Regulation S-T [17 CFR 232.405(b)] to
include the listed disclosure Items. In conjunction with the EDGAR
Filer Manual, Regulation S-T governs the electronic submission of
documents filed with the Commission. Rule 405 of Regulation S-T
specifically governs the scope and manner of disclosure tagging
requirements for operating companies and investment companies,
including the requirement in Rule 405(a)(3) to use Inline XBRL as
the specific structured data language to use for tagging the
disclosures.
\93\ See Inline XBRL Filing of Tagged Data, Securities Act
Release No. 10514 (June 28, 2018) [83 FR 40846 (Aug. 16, 2018)].
Inline XBRL allows filers to embed XBRL data directly into an HTML
document, eliminating the need to tag a copy of the information in a
separate XBRL exhibit. Inline XBRL is both human-readable and
machine-readable for purposes of validation, aggregation, and
analysis. Id. at 40851.
---------------------------------------------------------------------------
Requiring Inline XBRL tagging of the disclosures provided pursuant
to these disclosure items would benefit investors by making the
disclosures more readily available and easily accessible to investors,
market participants, and others for aggregation, comparison, filtering,
and other analysis, as compared to requiring a non-machine readable
data language such as ASCII or HTML. This Inline XBRL tagging would
enable automated extraction and analysis of the granular data required
by the proposed rules, allowing investors and other market participants
to more efficiently perform large-scale analysis and comparison of this
information across registrants and time periods. For narrative
disclosures, an Inline XBRL requirement would allow investors to
extract and search for disclosures about cybersecurity incidents
reported on Form 8-K, updated information about cybersecurity incidents
reported in a registrant's periodic reports, a registrant's
cybersecurity policies and procedures, management's role in assessing
and managing cybersecurity risks, and the board of directors' oversight
of cybersecurity risk and cybersecurity expertise rather than having to
manually run searches for these disclosures through entire documents.
The Inline XBRL requirement would also enable automatic comparison of
these disclosures against prior periods, and targeted artificial
intelligence/machine learning assessments of specific narrative
disclosures rather than the entire unstructured document. At the same
time, we do not expect the incremental compliance burden associated
with tagging the proposed additional information to be unduly
burdensome because registrants subject to the proposed tagging
requirements are for the most part subject to similar Inline XBRL
requirements in other Commission filings.
Request for Comment
40. Should we require registrants to tag the disclosures required
by proposed Item 1.05 of Form 8-K and Items 106 and 407(j) of
Regulation S-K in Inline XBRL, as proposed? Are there any changes we
should make to ensure accurate and consistent tagging? If so, what
changes should we make? Should we require registrants to use a
different structured data language to tag these disclosures? If so,
what structured data language should we require? Are there any
registrants, such as smaller reporting companies, emerging growth
companies, or FPIs that we should exempt from the tagging requirement?
General Request for Comment
We request and encourage any interested person to submit comments
regarding the proposed rule amendments, specific issues discussed in
this release, and other matters that may have an effect on the proposed
rule amendments. With regard to any comments, we note that such
comments are of particular assistance to our rulemaking initiative if
accompanied by supporting data and analysis of the issues addressed in
those comments.
III. Economic Analysis
A. Introduction
Cybersecurity threats and incidents continue to increase in
prevalence and seriousness, posing an ongoing and escalating risk to
public companies, investors, and other market participants.\94\ The
number of reported breaches disclosed by public companies has increased
over the last decade, from 28 in 2011 to 144 in 2019 and 117 in
2020.\95\ Although estimating the total cost of cybersecurity incidents
is difficult, as many events may be unreported, some estimates put the
total costs in the trillions of dollars per year in the U.S. alone.\96\
The Council of Economic Advisers estimated that in 2016 the total cost
of cybersecurity incidents was between $57 billion and $109 billion, or
between 0.31 and 0.58 percent of U.S. GDP in that year.\97\
---------------------------------------------------------------------------
\94\ Unless otherwise noted, when we discuss the economic
effects of the proposed amendments on ``other market participants,''
we mean those market participants that typically provide services
for investors and who rely on the information in registrant's
filings (such as financial analysts, investment advisers, and
portfolio managers).
\95\ Audit Analytics, Trends in Cybersecurity Breaches (Mar.
2021) (stating that: ``[c]ybersecurity breaches can result in a
litany of costs, such as investigations, legal fees, and
remediation. There is also the risk of economic costs that directly
impact financial performance, such as a reduction in revenue due to
lost sales.'').
\96\ See Cybersecurity and Infrastructure Security Agency, Cost
of a Cyber Incident: Systemic Review and Cross-Validation (Oct. 26,
2020), available at <a href="https://www.cisa.gov/sites/default/files/publications/CISA-OCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf">https://www.cisa.gov/sites/default/files/publications/CISA-OCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf</a>.
\97\ See supra note 12, The Council of Economic Advisers, The
Cost of Malicious Cyber Activity to the U.S. Economy (Feb. 2018).
---------------------------------------------------------------------------
As described earlier, while cybersecurity incident disclosure has
become more frequent since the issuance of the 2011 Staff Guidance and
2018 Interpretive Release, there is concern that material cybersecurity
incidents are underreported.\98\ For instance, the staff has observed
that certain cybersecurity incidents were reported in the media but not
disclosed in a registrant's filings.\99\ Even when
[[Page 16604]]
disclosures about cybersecurity breaches are made, they may not be
timely. According to Audit Analytics data, in 2020, it took on average
44 days for companies to discover breaches, and then in addition, it
took an average of 53 days and a median of 37 days for companies to
disclose a breach after its discovery.\100\ Additionally, incident
disclosure practices currently vary widely across registrants--some
registrants disclose incidents through Form 8-K and some may disclose
on a company website or in a press release. Because cybersecurity
incidents can significantly impact companies' stock prices, delayed
reporting results in mispricing of registrants' securities, harming
investors.\101\ Therefore, more timely and informative disclosure of a
cybersecurity incident is needed for investors to assess an incident's
impact and a registrant's ability to respond to the incident and to
make more informed decisions.
---------------------------------------------------------------------------
\98\ See supra section II.B and note 46. See also infra note
146, Amir et al. (2018) (providing evidence that companies
underreport cyber-attacks).
\99\ See supra section I.B.
\100\ See supra note 95 (``Audit Analytics'').
\101\ See infra note 133.
---------------------------------------------------------------------------
Investors also need to better understand the growing cybersecurity
risks registrants are facing and their ability to manage such risks in
order to better value their securities. Executives, boards of
directors, and investors are focused on this emerging risk. A 2019
survey of CEOs, boards of directors, and institutional investors found
that they identified cybersecurity as the top global challenge for
CEOs.\102\ In 2021, a survey of audit committee members identified
cybersecurity as the second highest risk that their audit committee
would focus on in 2022, second only to financial reporting and internal
controls.\103\
---------------------------------------------------------------------------
\102\ See supra note 15, EY CEO Imperative Study (2019). The
Ernst & Young survey consisted of interviewing 200 global CEOs
amongst the Forbes Global 2000 and Forbes largest private companies
as well as interviewing 100 senior investors from global firms that
had managed at least $100 billion in assets.
\103\ See Center for Audit Quality, Audit Committee Practices
Report: Common Threads Across Audit Committees (Jan. 2022),
available at <a href="https://www.thecaq.org/2022-ac-practices-report/">https://www.thecaq.org/2022-ac-practices-report/</a>.
---------------------------------------------------------------------------
Disclosures about cybersecurity risk management, strategy, and
governance are increasing, although they are not currently provided by
all registrants. An analysis of disclosures by Fortune 100 companies
found that disclosures of cybersecurity risk in proxy statements were
found in 89 percent of filings in 2020, up from 79 percent in 2018, and
disclosures of efforts to mitigate cybersecurity risk were found in 92
percent of proxy statements or 10-K Forms, up from 83 percent in
2018.\104\
---------------------------------------------------------------------------
\104\ See Jamie Smith, How Cybersecurity Risk Disclosures and
Oversight are Evolving in 2021, EY Center for Board Matters (Oct. 5,
2021), available at <a href="https://www.ey.com/en_us/board-matters/cybersecurity-risk-disclosures-and-oversight">https://www.ey.com/en_us/board-matters/cybersecurity-risk-disclosures-and-oversight</a>.
---------------------------------------------------------------------------
As with incident reporting, there is a lack of uniformity in
current reporting practice for cybersecurity risk management, strategy,
and governance disclosure.\105\ The relevant disclosures currently are
made in varying sections of a registrant's periodic and current
reports, such as in risk factors, in management's discussion and
analysis, in a description of business and legal proceedings, or in
financial statement disclosures, and are sometimes blended with other
unrelated disclosures. The varied disclosure about both cybersecurity
incidents and cybersecurity risk management, strategy, and governance
makes it difficult for investors and other market participants to
understand the cybersecurity risks that companies face and their
preparedness for an attack, and to make comparisons across registrants.
---------------------------------------------------------------------------
\105\ See supra section I.
---------------------------------------------------------------------------
To provide investors and other market participants with more
timely, informative, and consistent disclosure about cybersecurity
incidents, and cybersecurity risk management, strategy, and governance,
we are proposing the following amendments.\106\ Regarding incident
reporting, we propose to: (1) Amend Form 8-K to add Item 1.05 to
require registrants to disclose information about a cybersecurity
incident within four business days following the registrant's
determination that such an incident is material to the registrant; and
(2) add new Item 106(d) of Regulation S-K to require registrants to
provide updated disclosure in its periodic reports relating to
previously disclosed incidents; and (3) amend Form 20-F and Form 6-K to
require FPIs to provide cybersecurity disclosures consistent with the
disclosure that we propose to require in the domestic forms.
---------------------------------------------------------------------------
\106\ See supra section II.
---------------------------------------------------------------------------
For disclosures regarding cybersecurity risk management, strategy,
and governance, we are proposing the following. First, we propose to
amend Regulation S-K to require disclosure specified in proposed new
Item 106(b) and (c) regarding: (1) A registrant's policies and
procedures if any, for identifying and managing cybersecurity risks,
(2) a registrant's cybersecurity governance, including the board of
directors' oversight role regarding cybersecurity-related issues, and
(3) management's role and expertise in assessing and managing
cybersecurity risks and implementing related policies, procedures and
strategies. Second, we propose to amend Item 407 of Regulation S-K to
require disclosure about cybersecurity expertise of any member of the
board.
The discussion below addresses the potential economic effects of
the proposed amendments, including the likely benefits and costs, as
well as the likely effects on efficiency, competition, and capital
formation.\107\ At the outset, we note that, where possible, we have
attempted to quantify the benefits, costs, and effects on efficiency,
competition, and capital formation expected to result from the proposed
amendments. In many cases, however, we are unable to quantify the
potential economic effects because we lack information necessary to
provide a reasonable estimate. Where we are unable to quantify the
economic effects of the proposed amendments, we provide a qualitative
assessment of the potential effects and encourage commenters to provide
data and information that would help quantify the benefits, costs, and
the potential impacts of the proposed amendments on efficiency,
competition, and capital formation.
---------------------------------------------------------------------------
\107\ Section 2(b) of the Securities Act [15 U.S.C. 77b(b)] and
Section 3(f) of the Exchange Act [15 U.S.C. 78c(f)] directs the
Commission, when engaging in rulemaking where it is required to
consider or determine whether an action is necessary or appropriate
in the public interest, to consider, in addition to the protection
of investors, whether the action will promote efficiency,
competition, and capital formation. Further, Section 23(a)(2) of the
Exchange Act (15 U.S.C. 78w(a)(2)) requires the Commission, when
making rules under the Exchange Act, to consider the impact that the
rules would have on competition, and prohibits the Commission from
adopting any rule that would impose a burden on competition not
necessary or appropriate in furtherance of the Exchange Act.
---------------------------------------------------------------------------
B. Economic Baseline
1. Current Regulatory Framework
To assess the economic impact of the proposed rules, the Commission
is using as its baseline the existing regulatory framework for
cybersecurity disclosure. As discussed in Section I, although a number
of rules and regulations impose an obligation on companies to disclose
cybersecurity risks and incidents in certain circumstances, the
Commission's regulations currently do not explicitly address
cybersecurity.
In 2011, the Division of Corporation Finance issued interpretive
guidance providing the Division's views concerning operating companies'
disclosure obligations relating to cybersecurity risks and
incidents.\108\ The 2011 Staff Guidance provided an overview of
existing specific disclosure obligations that may require a discussion
of cybersecurity risks and
[[Page 16605]]
cybersecurity incidents, along with examples of potential
disclosures.\109\ Building on the 2011 Staff Guidance, the Commission
issued the 2018 Interpretive Release to assist operating companies in
preparing disclosure about cybersecurity risks and incidents under
existing disclosure rules.\110\ In the 2018 Interpretive Release, the
Commission instructed companies to provide timely and ongoing
information in periodic reports (Form 10-Q, Form 10-K, and Form 20-F)
about material cybersecurity risks and incidents that trigger
disclosure obligations. Additionally, the 2018 Interpretive Release
encouraged companies to continue to use current reports (Form 8-K or
Form 6-K) to disclose material information promptly, including
disclosure pertaining to cybersecurity matters. Further, the 2018
Interpretive Release noted that to the extent cybersecurity risks are
material to a company's business, the Commission believes that the
required disclosure of the company's risk oversight should include the
nature of the board's role in overseeing the management of that
cybersecurity risk. The 2018 Interpretive Release also stated that a
company's controls and procedures should enable them to, among other
things, identify cybersecurity risks and incidents and make timely
disclosures regarding such risks and incidents. Finally, the 2018
Interpretive Release highlighted the importance of insider trading
prohibitions and the need to refrain from making selective disclosures
of cybersecurity risks or incidents.
---------------------------------------------------------------------------
\108\ See supra section I.A and note 26.
\109\ Id.
\110\ See supra section I.A and note 27.
---------------------------------------------------------------------------
Companies currently may also be subject to other cybersecurity
incident disclosure requirements adopted by various industry regulators
and contractual counterparties. For example, federal contractors may be
required to monitor and report cybersecurity incidents and breaches or
face liability under the False Claims Act.\111\ The Health Insurance
Portability and Accountability Act (HIPAA) requires covered entities
and their business associates to provide notification following a
breach of unsecured protected health information.\112\ Similar rules
require vendors of personal health records and related entities to
report data breaches to affected individuals and the Federal Trade
Commission.\113\ All 50 states have data breach laws that require
businesses to notify individuals of security breaches involving their
personally identifiable information.\114\ There are other rules that
companies must follow in international jurisdictions that are similar
in scope to the proposed rules. For example, in the European Union, the
General Data Protection Regulation mandates disclosure of cybersecurity
breaches.\115\ All of the aforementioned data breach disclosure
requirements may cover some of the material incidents that companies
would need to report under the proposed amendments, but not all
incidents. Additionally, the timeliness and public reporting
requirements of these requirements vary, making it difficult for
investors and other market participants to be alerted to the breaches,
and to be provided with an adequate understanding of the impact of such
incidents to registrants.
---------------------------------------------------------------------------
\111\ See Department of Justice, Office of Public Affairs,
Justice News: Deputy Attorney General Lisa O. Monaco Announces New
Civil Cyber-Fraud Initiative, (Oct. 6, 2021), available at <a href="https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative">https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative</a>; see, e.g., FAR 52.239-1
(requiring contractors to ``immediately'' notify the federal
government if they become aware of ``new or unanticipated threats or
hazards . . . or if existing safeguards have ceased to function'').
\112\ See 45 CFR 164.400-164.414 (Notification in the Case of
Breach of Unsecured Protected Health Information).
\113\ See 16 CFR 318 (Health Breach Notification Rule).
\114\ Note that there are carve outs to these rules, and not
every company may fall under any particular rule. See Security
Breach Notification Laws, National Conference of State Legislatures
(Jan. 17, 2022), available at <a href="https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx">https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx</a>.
\115\ See Regulation (EU) 2016/679, of the European Parliament
and the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation), arts. 33 (Notification of a
personal data breach to the supervisory authority), 34
(Communication of a personal data breach to the data subject), 2016
O.J. (L 119) 1 (``GDPR'').
---------------------------------------------------------------------------
Some companies are also subject to other mandates to fulfill a
basic level of cybersecurity risk management, strategy, and governance.
For instance, government contractors may be subject to the Federal
Information Security Modernization Act, and use the National Institute
of Standards and Technology framework to manage information and privacy
risks.\116\ Financial institutions may be subject to the Federal Trade
Commission's Standards for Safeguarding Customer Information Rule,
requiring an information security program and a qualified individual to
oversee the security program and to provide periodic reports to a
company's board of directors or equivalent governing body.\117\ Under
HIPAA regulations, covered entities are also subject to rules that
require protection against reasonably anticipated threats to electronic
protected health information.\118\ International jurisdictions also
have cybersecurity risk mitigation measures, for example, the GDPR
requires basic cybersecurity risk mitigation measures and has
governance requirements.\119\ These various requirements have varying
standards and requirements for reporting cybersecurity risk management,
strategy, and governance, and may not provide investors with clear and
comparable disclosure regarding how a particular registrant manages its
cybersecurity risk profile.
---------------------------------------------------------------------------
\116\ See NIST Risk Management Framework, NIST (updated Jan. 31,
2022), available at <a href="https://csrc.nist.gov/projects/risk-management/fisma-background">https://csrc.nist.gov/projects/risk-management/fisma-background</a>.
\117\ See 16 CFR 314.
\118\ See 45 CFR 164 (Security and Privacy).
\119\ See supra note 115, GDPR, Sec. 32, Sec. 37.
---------------------------------------------------------------------------
2. Affected Parties
The proposed new disclosure requirements would apply to various
filings, including current reports, periodic reports, and certain proxy
statements filed with the Commission. Thus, the parties that are likely
to be affected by the proposed rules include investors, registrants,
other market participants that use the information in these filings
(such as financial analysts, investment advisers, and portfolio
managers) and external stakeholders such as consumers and other
companies in the same industry as affected firms.
We expect the proposed rules to affect all companies with relevant
disclosure obligations on Forms 10-K, 10-Q, 20-F, 8-K, or 6-K, and
proxy statements. This includes approximately 7,848 companies filing on
domestic forms and 973 FPIs filing on foreign forms based on all
companies that filed such forms or an amendment thereto during calendar
year 2020.\120\
---------------------------------------------------------------------------
\120\ Estimates of affected registrants here are based on the
number of unique CIKs with at least one periodic report, current
report, proxy filing, or an amendment to one of the three filed in
calendar year 2020.
---------------------------------------------------------------------------
Our textual analysis \121\ of all calendar year 2020 Form 10-K
filings and amendments (7,683) reveals that out of 6,634 domestic
filers approximately 64% (4,272) of them made any cybersecurity-related
disclosures. The filers' average size in terms of total assets and
market capitalization was
[[Page 16606]]
approximately $14.1 billion and $7.5 billion, respectively.\122\ By
comparison, the average size of domestic annual report filers that did
not make any cyber disclosures was $892.6 million and $2.2 billion in
terms of total assets and market capitalization, respectively. However,
the average size of all baseline affected filers was approximately
$14.1 billion and $5.6 billion in total assets and market
capitalization respectively. The nature of these disclosures is
summarized in the table below, which reports the relative frequency of
cyber-related disclosures by location within the annual report
conditional on a report having at least one discussion of
cybersecurity. We note that the average number of reporting locations
for registrants making cybersecurity-related disclosures on the annual
report is 1.5, and registrants making cybersecurity-related disclosures
often only did so in one section of the annual report (64%). However,
many annual reports featured cybersecurity discussions in more than one
section: 25% had disclosures in 2 sections, 7% in 3 sections, and 1% in
5 or more sections. Because of this, the percentages in Table 1 sum to
greater than 100%.
---------------------------------------------------------------------------
\121\ In performing this analysis, staff executed a combination
of computer program-based keyword (and combination of key words)
searches followed by manual review to classify disclosures by
location within the document. This analysis covered 7,683 Forms 10-K
and 10-K/A filed in calendar year 2020 by 6,634 registrants as
identified by unique CIK.
\122\ Market capitalization averages are estimated as of end of
calendar year 2020. Total Asset averages are estimated from the
value for the most recently completed fiscal year reported by a
registrant by year end 2020.
Table 1--Incidence of Cybersecurity-Related Disclosures by 10-K Location
a
------------------------------------------------------------------------
Disclosure location Item description Percentage
------------------------------------------------------------------------
Item 1A........................... Risk Factors........ 94.3
Item 1............................ Description of 20.5
Business *.
PSLRA............................. Cautionary Language 16.3
regarding Forward
Looking Statements.
Item 7............................ Management's 10.0
Discussion and
Analysis *.
Item 10........................... Directors, Executive 3.4
Officers and
Corporate
Governance.
Item 8............................ Financial Statements 2.8
and Supplementary
Data.
Exhibits (attached). 0.9
Item 11........................... Executive 0.4
Compensation.
Item 15........................... Exhibits, Financial 0.4
Statement Schedules.
Item 2............................ Properties.......... 0.3
Item 3............................ Legal Proceedings... 0.3
Item 9............................ Changes in and 0.2
Disagreements with
Accountants on
Accounting and
Financial
Disclosure *.
Item 13........................... Certain 0.2
Relationships and
Related
Transactions, and
Director
Independence.
Item 6............................ Selected Financial 0.2
Data.
Item 5............................ Market for 0.1
Registrant's Common
Equity, Related
Stockholder Matters
and Issuer
Purchases of Equity
Securities.
Item 4............................ Mine Safety 0.1
Disclosures.
Item 14........................... Principal Accountant 0.1
Fees and Services.
Item 12........................... Security Ownership 0.0
of Certain
Beneficial Owners
and Management and
Related Stockholder
Matters.
------------------------------------------------------------------------
\a\ Because of heterogeneity in registrants' labeling of sections, Items
other than 1A are grouped only at the numeric level. An asterisk in
the table denotes that the identified Item may contain disclosures
located in a more specific subsection. Item 1, for instance, includes
Item 1B disclosures; Item 7 includes 7A; and Item 9 includes 9A, 9B,
and 9C.
As presented in Table 1, approximately 94% (4,029) of Form 10-K or
amendment filers that provided any cyber-related disclosures included
discussion of cybersecurity as a material risk factor in Item 1A.
We further estimate that, in 2020, approximately 603 domestic
companies reported having a director on their board with cybersecurity
experience or expertise. This estimate is based on a review of
cybersecurity disclosures by registrants that filed either a Form 10-K
or an amended Form 10-K in 2020 that included cybersecurity-related
language in their Item 10 (Directors and Executive Officers of the
Registrant) discussion or provided similar disclosures in a proxy
filing instead.\123\
---------------------------------------------------------------------------
\123\ Based on manual review of the total of 15,565 proxy
filings filed in 2020 and the 1,600 of them that mentioned
cybersecurity.
---------------------------------------------------------------------------
Finally, there were a total of 74,098 Form 8-K filings in 2020,
involving 7,021 filers, out of which 40 filings reported material
cybersecurity incidents. Similarly, there were a total of 23,373 Form
6-K filings in 2020, involving 979 filers, out of which 27 filings
reported material cybersecurity incidents. Filers of annual, quarterly,
or current reports (Forms 10-K, 10-Q, 20-F, 8-K, or 6-K) including a
cybersecurity discussion in any form included 104 business development
companies.
C. Potential Benefits and Costs of the Proposed Amendments
We have considered the potential benefits and costs associated with
the proposed amendments. The proposed rules would benefit investors and
other market participants by providing more timely and informative
disclosures relating to cybersecurity incidents and cybersecurity risk
management, strategy, and governance, facilitating investor decision-
making and reducing information asymmetry in the market. The proposed
amendments also would entail costs. For instance, in addition to the
costs of providing the disclosure itself, more detailed disclosure
could potentially increase the vulnerability of registrants and the
risk of future attacks. A discussion of the anticipated economic costs
and benefits of the proposed amendments is set forth in more detail
below. We first discuss benefits to investors (and other market
participants, such as financial analysts, investment advisers, and
portfolio managers) and registrants. We subsequently discuss costs to
investors and registrants. We conclude with a discussion of indirect
economic effects on registrants and external stakeholders, such as
consumers, and companies in the same industry with registrants or those
facing similar cybersecurity threats.
We also expect the proposed amendments to affect compliance
burdens. The quantitative estimates of changes in those burdens for
purposes of the Paperwork Reduction Act of 1995 (``PRA'') are further
discussed in Section [IV] below. For purposes of the PRA, we estimate
that the proposed amendments would result in an increase of 2,000 and
[[Page 16607]]
180 burden hours from the increase in the number Form 8-K and Form 6-K
filings respectively.\124\ In addition, the estimated increase in the
paperwork burden as a result of the proposed amendments for Form 10-Q,
Form 10-K, Form 20-F, Schedule 14A, and Schedule 14C would be 3,000
hours, 132,576 hours, 12,028.50 hours, 3,900 hours, and 342 hours
respectively.\125\
---------------------------------------------------------------------------
\124\ See infra section IV.
\125\ Id.
---------------------------------------------------------------------------
1. Benefits
Investors would be the main beneficiaries from the enhanced
disclosure of both cybersecurity incidents and cybersecurity risk
management, strategy, and governance as a result of the proposed
amendments. Specifically, investors would benefit because: (1) More
informative and timely disclosure would reduce mispricing of securities
in the market and facilitate their decision making; and (2) more
uniform and comparable disclosures would lower search costs and
information processing costs. Other market participants that rely on
financial statement information to provide services to investors, such
as financial analysts, investment advisers, and portfolio managers,
could also benefit. Registrants could benefit, because the enhanced
disclosure as a result of the proposed amendments could reduce
information asymmetry and potentially lower registrants' cost of
capital.
a. Benefits to Investors
(i) More Informative and More Timely Disclosure
More informative and timely disclosures would reduce mispricing of
securities in the market and facilitate investor decision making.
Information benefits would result from both types of disclosure,\126\
and timeliness benefits would result from the proposed cybersecurity
incident disclosure.
---------------------------------------------------------------------------
\126\ Throughout this section, we use the term ``both types of
disclosure'' to refer to the disclosure of (1) cybersecurity
incidents and (2) cybersecurity risk management, strategy, and
governance.
---------------------------------------------------------------------------
The proposed amendments would provide more informative disclosures
related to cybersecurity incidents and cybersecurity risk management,
strategy, and governance compared to the current disclosure framework,
benefiting investors. The increase in disclosure would allow investors
to better understand a registrant's cybersecurity risks and ability to
manage such risks, and thereby make more informed investment decisions.
As discussed in Section I, currently, there are no disclosure
requirements that explicitly refer to cybersecurity risks or incidents.
While existing disclosure requirements may apply to material
cybersecurity incidents and various cybersecurity risks and mitigation
efforts, as highlighted in the 2011 Staff Guidance and the 2018
Interpretive Release, the existing disclosure requirements are more
general in nature, and the resulting disclosures have not been
consistently sufficient or necessarily informative.
Specifically, regarding incident reporting, there is concern that
material cybersecurity incidents are underreported,\127\ and staff has
observed that certain cybersecurity incidents were reported in the
media but not disclosed in a registrant's filings.\128\ Even when
registrants have filed Form 8-K to report an incident, the Form 8-K did
not necessarily state whether or not the incident was material, and in
some cases, the Form 8-K stated that the incident was immaterial.\129\
By requiring registrants to disclose material cybersecurity incidents
in a current report and disclose any material changes, additions, or
updates in a periodic report, the proposed amendments could elicit more
incident reporting. Because the proposed incident disclosure
requirements also specify that registrants would disclose information
such as when the incident was discovered, and the nature and scope of
the incident, they could also result in more informative incident
reporting.
---------------------------------------------------------------------------
\127\ See supra section II.B and note 46.
\128\ See supra section I.B.
\129\ Based on staff analysis of the current and periodic
reports in 2021 for companies identified by as having been affected
by a cybersecurity incident.
---------------------------------------------------------------------------
Similarly, the proposed disclosure about cybersecurity risk
management, strategy, and governance would include a number of specific
items that registrants must disclose. For instance, the proposed rules
would require disclosure regarding a registrant's policies and
procedures for identifying and managing cybersecurity risks.\130\ The
proposed rules would also require disclosure concerning whether and how
cybersecurity considerations affect a registrant's selection and
oversight of third-party service providers because a significant number
of cybersecurity incidents pertain to third party service
providers.\131\ As a result, the proposed rules related to risk
management, strategy, and governance could also lead to more
informative disclosure to investors.
---------------------------------------------------------------------------
\130\ See supra section II.D.
\131\ See supra section II.D.
---------------------------------------------------------------------------
We anticipate the proposed cybersecurity incident reporting would
also lead to more timely disclosure to investors. As discussed above,
currently, it could take months for registrants to disclose a material
cybersecurity incident after its discovery.\132\ The proposed
amendments would require these incidents to be disclosed in a current
report on Form 8-K within four business days after the registrant
determines that it has experienced a material cybersecurity incident.
---------------------------------------------------------------------------
\132\ See supra note 95, section III.A.
---------------------------------------------------------------------------
More informative and timely disclosure as a result of the proposed
amendments would benefit investors because the enhanced disclosure
could allow them to better understand the impact of a cybersecurity
incident on the registrant, the risk a registrant is facing and its
ability to manage the risk. Such information is relevant to the
valuation of registrants' securities and thereby investors' decision
making. It is well documented in the academic literature that the
market reacts negatively to announcements of cybersecurity incidents.
For example, one study finds a significant mean cumulative abnormal
return of -0.84% in the three days following cyberattack announcements,
which, according to the study, translates into an average value loss of
$495 million per attack.\133\ Another study finds that firms with
higher exposure to cybersecurity risk have a higher cost of capital,
suggesting
[[Page 16608]]
that this risk is important to investors.\134\ Therefore, whether a
registrant is prepared for cybersecurity risks and has adequate
cybersecurity risk management, strategy, and governance measures in
place to reduce the likelihood of future incidents are important
information for investors and the market. Delayed or incomplete
reporting of cybersecurity incidents and risks could lead to mispricing
of the securities and information asymmetry in the market, harming
investors.
---------------------------------------------------------------------------
\133\ See Shinichi Kamiya, Jun-Koo Kang, Jungmin Kim, Andreas
Milidonis, and Ren[eacute] M. Stulz, Risk Management, Firm
Reputation, and the Impact of Successful Cyberattacks on Target
Firms, 139 (3) J. of Fin. Econ. 721, 719-749 (2021). See also
Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou, The Impact of
Information Security Breaches: Has There Been a Downward Shift in
Costs?, 19 (1) J. of Comput. Sec. 33, 33-56 (2011) (finding ``the
impact of the broad class of information security breaches on stock
market returns of firms is significant''); see also Georgios Spanos
and Lefteris Angelis, The Impact of Information Security Events to
the Stock Market: A Systematic Literature Review, 58 Comput. & Sec.
216-229 (2016) (documenting that the majority (75.6%) of the studies
the paper reviewed report statistical significance of the impact of
security events to the stock prices of firms). But see Katherine
Campbell, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou, The
Economic Cost of Publicly Announced Information Security Breaches:
Empirical Evidence From the Stock Market, 11 (3) J. of Comput. Sec.
432, 431-448 (2003) (while finding limited evidence of an overall
negative stock market reaction to public announcements of
information security breaches, they also find ``the nature of the
breach affects this result'', and ``a highly significant negative
market reaction for information security breaches involving
unauthorized access to confidential data, but no significant
reaction when the breach does not involve confidential
information''; they thus conclude that ``stock market participants
appear to discriminate across types of breaches when assessing their
economic impact on affected firms'').
\134\ See Chris Florakis, Christodoulos Louca, Roni Michaely,
and Michael Weber, Cybersecurity Risk. (No. w28196), Nat'l Bureau of
Econ. Rsch, (2020).
---------------------------------------------------------------------------
In addition, the mispricing resulting from delayed or limited
disclosure could be exploited by the malicious actors who caused a
cybersecurity incident, or those who could access and trade on material
information stolen during a cybersecurity incident, causing further
harm to investors.\135\ Malicious actors may trade ahead of an
announcement of a data breach that they caused or pilfer material
information to trade on ahead of company announcements. Trading on
undisclosed cybersecurity information is particularly pernicious,
because profits generated from this type of trading would provide
incentives for malicious actors to ``create'' more incidents and
proprietary information to trade on.\136\ More informative and timely
disclosure as a result of the proposed amendments would reduce
mispricing and information asymmetry, and thereby reduce opportunities
for malicious actors to exploit the mispricing, all of which would
enhance investor protection.
---------------------------------------------------------------------------
\135\ See Joshua Mitts and Eric Talley, Informed Trading and
Cybersecurity Breaches, 9 Harv. Bus. L. Rev. 1 (2019) (``In many
respects, then, the cyberhacker plays a role in creating and
imposing a unique harm on the targeted company--one that (in our
view) is qualitatively different from ``exogenous'' information
shocks serendipitously observed by an information trader. Allowing a
coordinated hacker-trader team to capture these arbitrage gains
would implicitly subsidize the very harm-creating activity that is
being ``discovered'' in the first instance.'').
\136\ Id.
---------------------------------------------------------------------------
Overall, we believe enhanced disclosure as a result of the proposed
amendments could benefit investors by allowing them to make more
informed decisions. Similarly, other market participants that rely on
financial statement information to provide services to investors would
also benefit, because more informative and timely disclosure would
allow them to better understand a registrant's cybersecurity risks and
ability to manage such risks. As a result, they would be able to better
evaluate registrants' securities and provide better recommendations.
However, we note that the potential benefit could be reduced to the
extent that registrants have already been providing the relevant
disclosures.
We are unable to quantify the potential benefit to investors and
other market participants as a result of the increase in disclosure and
improvement in pricing under the proposed amendments. The estimation
requires information about the fundamental value of securities and the
extent of the mispricing. We do not have access to such information,
and therefore cannot provide a reasonable estimate.
(ii) Greater Uniformity and Comparability
The proposed disclosure about cybersecurity incidents and
cybersecurity risk management, strategy, and governance could also lead
to more uniform and comparable disclosures, benefiting investors by
lowering their search costs and information processing costs. As
discussed in Section I, while some registrants currently file Form 8-K
to report an incident, their reporting practices vary widely.\137\ Some
provide a discussion of materiality, the estimated costs of an
incident, or the remedial steps taken as a result of an incident, while
others do not provide such disclosure or provide much less detail in
their disclosure. Disclosures related to risk management, strategy, and
governance also vary significantly across registrants--such information
could be disclosed in places such as the risk factors section, or in
the management's discussion and analysis section of Form 10-K, or not
at all. Investors currently may find it costly to compare the
disclosures of different companies because they would have to spend
time to search and retrieve information from different locations. For
both types of disclosures, the proposed amendments would specify the
topics to be disclosed and the reporting sections to include such
disclosures, and as a result, both the incident disclosure and risk
management, strategy, and governance disclosure should be more uniform
across registrants, making it easier to compare. By specifying a set of
topics that registrants should disclose, the proposed disclosure
requirement should provide investors and other market participants with
a benchmark of a minimum set of information for registrants to
disclose, allowing them to better evaluate and compare registrants'
cybersecurity risk and disclosure.
---------------------------------------------------------------------------
\137\ See supra section I.B.
---------------------------------------------------------------------------
We note that to the extent that the disclosures related to
cybersecurity risk management, strategy, and governance become too
uniform or ``boilerplate,'' the benefit of comparability may be
diminished. However, we also note that given the level of the
specificity that would be required, the resulting disclosures are
unlikely to become boilerplate.
The proposed requirement to tag the cybersecurity disclosure in
Inline XBRL would likely augment the aforementioned informational and
comparability benefits by making the proposed disclosures more easily
retrievable and usable for aggregation, comparison, filtering, and
other analysis. XBRL requirements for public operating company
financial statement disclosures have been observed to mitigate
information asymmetry by reducing information processing costs, thereby
making the disclosures easier to access and analyze.\138\
---------------------------------------------------------------------------
\138\ See, e.g., J.Z. Chen, H.A. Hong, J.B. Kim, and J.W. Ryou,
Information processing costs and corporate tax avoidance: Evidence
from the SEC's XBRL mandate, 40 J. of Acct. and Pub. Pol'y. 2
(finding XBRL reporting decreases likelihood of firm tax avoidance
because ``XBRL reporting reduces the cost of IRS monitoring in terms
of information processing, which dampens managerial incentives to
engage in tax avoidance behavior''); see also P.A. Griffin, H.A.,
Hong, J-B, Kim, and Jee- Hae Lim, The SEC's XBRL Mandate and Credit
Risk: Evidence on a Link between Credit Default Swap Pricing and
XBRL Disclosure, 2014 American Accounting Association Annual Meeting
(2014) (finding XBRL reporting enables better outside monitoring of
firms by creditors, leading to a reduction in firm default risk);
see also E. Blankespoor, The Impact of Information Processing Costs
on Firm Disclosure Choice: Evidence from the XBRL Mandate, 57 J. of
Acc. Res. 919, 919-967 (2019) (finding ``firms increase their
quantitative footnote disclosures upon implementation of XBRL
detailed tagging requirements designed to reduce information users'
processing costs,'' and ``both regulatory and non-regulatory market
participants play a role in monitoring firm disclosures,''
suggesting ``that the processing costs of market participants can be
significant enough to impact firms' disclosure decisions'').
---------------------------------------------------------------------------
While these observations are specific to operating company
financial statement disclosures and not to disclosures outside the
financial statements, such as the proposed cybersecurity disclosures,
they suggest that the proposed Inline XBRL requirements could directly
or indirectly (i.e., through information intermediaries such as
financial media, data aggregators, and academic researchers) provide
investors with increased insight into cybersecurity-related information
at specific companies and across companies, industries, and time
periods.\139\ Also,
[[Page 16609]]
unlike XBRL financial statements (including footnotes), which consist
of tagged quantitative and narrative disclosures, the proposed
cybersecurity disclosures would consist largely of tagged narrative
disclosures.\140\ Tagging narrative disclosures can facilitate
analytical benefits such as automatic comparison or redlining of these
disclosures against prior periods and the performance of targeted
artificial intelligence or machine learning assessments (tonality,
sentiment, risk words, etc.) of specific cybersecurity disclosures
rather than the entire unstructured document.\141\
---------------------------------------------------------------------------
\139\ See, e.g., N. Trentmann, Companies Adjust Earnings for
Covid-19 Costs, but Are They Still a One-Time Expense?, The Wall
Street J. (2020) (citing an XBRL research software provider as a
source for the analysis described in the article); see also
Bloomberg Lists BSE XBRL Data, <a href="http://XBRL.org">XBRL.org</a> (2018); see also R. Hoitash,
and U. Hoitash, Measuring Accounting Reporting Complexity with XBRL,
93 Account. Rev. 259 (2018).
\140\ The proposed cybersecurity disclosure requirements do not
expressly require the disclosure of any quantitative values; if a
registrant includes any quantitative values that are nested within
the required discussion (e.g., disclosing the number of days until
containment of a cybersecurity incident), those values would be
individually detail tagged, in addition to the block text tagging of
the narrative disclosures.
\141\ To illustrate, without Inline XBRL, using the search term
``remediation'' to search through the text of all registrants'
filings over a certain period of time, so as to analyze the trends
in registrants' disclosures related to cybersecurity incident
remediation efforts during that period, could return many narrative
disclosures outside of the cybersecurity incident discussion (e.g.,
disclosures related to potential environmental liabilities in the
risk factors section). If Inline XBRL is used, however, it would
enable a user to search for the term ``remediation'' exclusively
within the proposed cybersecurity disclosures, thereby likely
reducing the number of irrelevant results.
---------------------------------------------------------------------------
b. Benefits to Registrants \142\
---------------------------------------------------------------------------
\142\ While registrants are legally distinct entities from
investors, benefits and costs to registrants as a result of the
proposed amendments would ultimately accrue to their investors.
---------------------------------------------------------------------------
The proposed amendments regarding both incident reporting and risk
management, strategy, and governance disclosure could potentially lower
registrants' cost of capital, especially for those who currently have
strong cybersecurity risk management, strategy, and governance measures
in place. Economic theory suggests that better disclosure could reduce
information asymmetry between management and investors, reducing the
cost of capital, and thereby improving firms' liquidity and their
access to capital markets.\143\ In an asymmetric information
environment, investors recognize that registrants may take advantage of
their position by issuing securities at a price that is higher than
justified by the issuer's fundamental value. As a result, investors
demand a discount to compensate for the risk of adverse selection. This
discount translates into a higher cost of capital.\144\ By providing
more disclosure, the firm can reduce the risk of adverse selection
faced by investors and the discount they demand, ultimately decreasing
the firm's cost of capital.\145\ Applying this theory to cybersecurity
disclosure, the increased disclosure as a result of the proposed
amendments could decrease the cost of capital and increase firm value.
---------------------------------------------------------------------------
\143\ See Douglas W. Diamond and Robert E. Verrecchia,
Disclosure, Liquidity, and the Cost of Capital, 46 J. Fin. 1325,
1325-1359 (1991) (finding that revealing public information to
reduce information asymmetry can reduce a firm's cost of capital
through increased liquidity). See also Christian Leuz and Robert E.
Verrecchia, The Economic Consequences of Increased Disclosure, 38 J.
Acct. Res. 91 (2000) (providing empirical evidence that increased
disclosure lowers the information asymmetry component of the cost of
capital in a sample of German firms); see also Christian Leuz and
Peter D. Wysocki, The Economics of Disclosure and Financial
Reporting Regulation: Evidence and Suggestions for Future Research,
54 J. Acct. Res. 525 (2016) (providing a comprehensive survey of the
literature on the economic effect of disclosure).
\144\ See Leuz and Verrecchia, The Economic Consequences of
Increased Disclosure, 38 J. Acct. Res. 91 (2000) (stating: ``A brief
sketch of the economic theory is as follows. Information asymmetries
create costs by introducing adverse selection into transactions
between buyers and sellers of firm shares. In real institutional
settings, adverse selection is typically manifest in reduced levels
of liquidity for firm shares (e.g., Copeland and Galai [1983], Kyle
[1985], and Glosten and Milgrom [1985]). To overcome the reluctance
of potential investors to hold firm shares in illiquid markets,
firms must issue capital at a discount. Discounting results in fewer
proceeds to the firm and hence higher costs of capital. A commitment
to increased levels of disclosure reduces the possibility of
information asymmetries arising either between the firm and its
shareholders or among potential buyers and sellers of firm shares.
This, in turn, should reduce the discount at which firm shares are
sold, and hence lower the costs of issuing capital (e.g., Diamond
and Verrecchia [1991] and Baiman and Verrecchia [1996]).'').
\145\ Although disclosure could be beneficial for the firm,
several conditions must be met for firms to voluntarily disclose all
their private information. See Anne Beyer, Daniel A. Cohen, Thomas
Z. Lys, and Beverly R. Walther, The Financial Reporting Environment:
Review Of The Recent Literature, 50 J. Acct. & Econ. 296, 296-343
(2010) (discussing conditions under which firms voluntarily disclose
all their private information, and these conditions include ``(1)
disclosures are costless; (2) investors know that firms have, in
fact, private information; (3) all investors interpret the firms'
disclosure in the same way and firms know how investors will
interpret that disclosure; (4) managers want to maximize their
firms' share prices; (5) firms can credibly disclose their private
information; and (6) firms cannot commit ex-ante to a specific
disclosure policy.''). Increased reporting could also help determine
the effect of investment on firm value. See Lawrence A. Gordon,
Martin P. Loeb, William Lucyshyn, and Lei Zhou, The Impact of
Information Sharing on Cybersecurity Underinvestment: A Real Options
Perspective, 34 (5) J. Acct. & Pub. Policy 509, 509-519 (2015)
(arguing that ``information sharing could reduce the tendency by
firms to defer cybersecurity investments.'').
---------------------------------------------------------------------------
The proposed amendments' effect on cost of capital might vary
depending on registrants' current level of cybersecurity risk
management, strategy, and governance and whether they are already
making disclosures regarding their efforts. To the extent that they
have not been making the proposed disclosure, registrants with stronger
cybersecurity risk management, strategy, and governance measures could
be priced more favorably under the proposed amendments because the
proposed disclosure would allow the market to better differentiate them
from the registrants with less robust measures. To the extent that some
registrants are already making disclosures about their robust
cybersecurity risk management, strategy, and governance programs, these
registrants would benefit less. However, if registrants that previously
had less robust cybersecurity risk management, strategy, and governance
disclose improvements in their cybersecurity risk management, strategy,
and governance in response to the proposed amendments, their cost of
capital could also decrease.
Registrants could also benefit from more uniform regulations
regarding the timing of disclosures and the types of cybersecurity
incident and risk disclosures as a result of the proposed amendments.
Currently, the stigma or reputation loss associated with cybersecurity
breaches may result in companies limiting reporting about or delaying
reporting of cybersecurity incidents.\146\ If all registrants are
required to report cybersecurity incidents on Form 8-K within four
business days as proposed, this could reduce the reputation costs that
any one company might suffer after reporting an attack and also reduce
the incentives to underreport.
---------------------------------------------------------------------------
\146\ See supra note 133, Kamiya, at 720 (Kamiya et al.) (2021),
(stating ``we find that successful cyberattacks have potentially
economically large reputation costs in that the shareholder wealth
loss far exceeds the out-of-pocket costs from the attack''). See
also Eli Amir, Shai Levi, and Tsafrir Livne, Do Firms Underreport
Information on Cyber-Attacks? Evidence from Capital Markets, 23 (3)
Review of Accounting Studies 1177-1206 (2018) (finding evidence that
is consistent with managers withholding information on cyber-
attacks, and particularly the information on the more severe
attacks).
---------------------------------------------------------------------------
In addition, by formalizing the disclosure requirements related to
cybersecurity incidents and cybersecurity risk management, strategy,
and governance and specifying the topics to be discussed, the proposed
amendments could reduce compliance costs for those registrants who are
currently providing disclosure about these topics. The compliance costs
would only be reduced to the extent that those registrants may be over-
disclosing information, because there is uncertainty about what is
required under the current rules. For instance,
[[Page 16610]]
the staff has observed that some registrants provide Form 8-K filings
even when they do not anticipate the incident will have a material
adverse impact on their business operations, or financial results.\147\
---------------------------------------------------------------------------
\147\ See supra note 129 and accompanying text.
---------------------------------------------------------------------------
We are unable to quantify these potential benefits to registrants
as a result of the proposed amendments due to lack of data. For
example, we are unable to observe the actual cybersecurity risk
registrants are facing. Without such information, we cannot provide a
reasonable estimate on how registrants' cybersecurity risk and
therefore their cost of capital may decrease.
2. Costs
We also recognize that enhanced cybersecurity disclosure could
result in costs to registrants, depending on the timing and extent of
the disclosure. These costs include potential increases in registrants'
vulnerability, information uncertainty, and compliance costs. We
discuss these costs below.
First, the proposed disclosure about cybersecurity incidents and
cybersecurity risk management, strategy, and governance could
potentially increase the vulnerability of registrants. Ever since the
issuance of the 2011 Staff Guidance, concerns have been raised that
providing detailed disclosures of cybersecurity incidents can create
the risk of providing a road map for future attacks.\148\ The concern
is that malicious actors could use the disclosures to potentially gain
insights into a registrant's practices on cybersecurity issues and thus
better calibrate future attacks.
---------------------------------------------------------------------------
\148\ See, e.g., Roland L. Trope and Sarah Jane Hughes, The SEC
Staff's Cybersecurity Disclosure Guidance: Will It Help Investors or
Cyber-Thieves More, 2011 Bus. L. Today 2, 1-4 (2011).
---------------------------------------------------------------------------
The proposed changes to Form 8-K and Form 6-K would require
registrants to timely file current reports on these forms to disclose
material cybersecurity incidents. The proposed disclosures include, for
example, the nature and scope of the disclosed incident and whether the
registrant has remediated or is currently remediating the incidents.
While we have clarified that we would not expect a registrant to
publicly disclose specific, technical information about its planned
response to the incident or its cybersecurity systems, related networks
and devices, or potential system vulnerabilities in such detail as
would impede the registrant's response or remediation of the incident
(to the extent that a registrant discloses information that could
provide clues to malicious actors regarding a registrant's areas of
vulnerability) it may face increased risk. Malicious actors could
engage in further attacks based on the information, especially given
that registrants would also need to make timely disclosure, which could
mean that the underlying security issues might not have been completely
resolved, thereby potentially exacerbating the ongoing attack. As a
result, the proposed incident disclosure rules could potentially
increase the vulnerability of registrants, imposing a cost on them and
their investors.
Similar concerns could be raised about the proposed risk
management, strategy, and governance disclosure. Specifically, proposed
Item 407(j) would require registrants to disclose whether a member of
its board of directors has cybersecurity expertise, and proposed new
Items 106(b) and (c) would require registrants to provide specified
disclosure regarding their cybersecurity policies and procedures and
cybersecurity governance by a company's management and board. The
required disclosure could provide malicious actors information about
which companies lack a board of directors with cybersecurity expertise,
and which ones have weak policies and procedures related to
cybersecurity risk management, and allow such malicious actors to
determine their targets accordingly.
However, academic research so far has not provided evidence that
more detailed cybersecurity risk disclosures would necessarily lead to
more attacks.\149\ For example, one study finds that measures for
specificity (e.g., the uniqueness of the disclosure) do not have a
statistically significant relation with subsequent cybersecurity
incidents.\150\ Another study finds that the disclosed security risk
factors with risk-mitigation themes are less likely to be related to
future breach announcements.\151\ On the other hand, we note that the
proposed amendments would require more details than under the current
rules, and the uniformity of the proposed requirements might also make
it easier for malicious actors to identify firms with deficiencies.
Therefore, these findings might not be generalizable to the effects of
the proposed amendments. Additionally, the costs resulting from this
potential vulnerability might be partially mitigated to the extent that
registrants may decide to enhance their cybersecurity risk management
in anticipation of the increased disclosure.
---------------------------------------------------------------------------
\149\ We note that the papers we cited below study the effect of
voluntary disclosure and 2011 Staff Guidance. The results from these
studies might not be generalizable to the mandatory disclosures
under the proposed rules.
\150\ See He Li, Won Gyun No, and Tawei Wang, SEC's
Cybersecurity Disclosure Guidance and Disclosed Cybersecurity Risk
Factors, 30 Int'l. J. of Acct. Info. Sys. 40-55 (2018) (stating:
``while Ferraro (2013) criticizes that the SEC did little to resolve
the concern about publicly revealing too much information [that]
could provide potential hackers with a roadmap for successful
attacks, we find no evidence supporting such claim'').
\151\ See Tawei Wang, Karthik N. Kannan, and Jackie Rees Ulmer,
The Association Between the Disclosure and the Realization of
Information Security Risk Factors, 24.2 Info. Sys. Rsch. 201, 201-
218 (2013).
---------------------------------------------------------------------------
Second, the proposed cybersecurity incident disclosure could
potentially increase information uncertainty related to securities,
because the disclosure about the impact of the incident on the
registrant's operations may lack the precision needed for investors and
the market to properly value these securities. While the proposed
changes to Form 8-K could improve the timeliness of cybersecurity
incident reporting and result in more disclosure about the impact of
the incident on the registrant's operations, the proposed rules do not
require registrants to quantify the impact of the incident. As a
result, registrants' disclosure about the impact of a cybersecurity
incident could be qualitative in nature or lack the precision needed
for investors and the market to properly value the securities,
potentially leading to information uncertainty, investor under or
overreaction to certain disclosures, and thereby mispricing of
registrants' securities.\152\
---------------------------------------------------------------------------
\152\ See Daniel Kent, David Hirshleifer, and Avanidhar
Subrahmanyam, Investor Psychology and Security Market under-and
Overreactions, J. of Fin. 1839-1885 (1998) (showing that investor
behavioral biases such as overconfidence can cause them to under- or
over-react to information); see Nicholas Barberis, Andrei Shleifer,
and Robert Vishny, A Model of Investor Sentiment, 49 (3) J. of Fin.
Econ. 307-343 (1998) (presenting a model of investor sentiment to
explain the empirical findings of underreaction of stock prices to
news such as earnings announcements, and overreaction of stock
prices to a series of good or bad news based on two psychological
phenomena, conservatism and representativeness heuristic); see also
David Hirshleifer, Investor Psychology and Asset Pricing, 56 J. of
Fin. 1533, 1533-1596 (2001) (stating: ``[m]ore generally, greater
uncertainty about a set of stocks, and a lack of accurate feedback
about their fundamentals, leaves more room for psychological biases.
At the extreme, it is relatively hard to misperceive an asset that
is nearly risk-free. Thus, the misvaluation effects of almost any
mistaken-beliefs model should be strongest among firms about which
there is high uncertainty/poor information (cash flow variance is
one possible proxy).'').
---------------------------------------------------------------------------
Additionally, while the proposed disclosure could have the overall
effect of reducing registrants' cost of capital as discussed in Section
III.C.1.b, we also recognize that a subset of registrants might
experience an increase in costs of capital. More specifically, under
the
[[Page 16611]]
proposed amendments, registrants with less robust cybersecurity risk
management measures might be priced more unfavorably compared to those
with stronger measures, potentially leading to an increase in cost of
capital for these registrants. This is because the increased
transparency as a result of the proposed disclosure could allow
investors to better differentiate registrants' preparedness and ability
to manage cybersecurity risks. However, except for this scenario, we
expect that registrants overall would benefit from reduced cost of
capital as a result of the proposed disclosure as discussed in Section
III.C.1.b.
Finally, the proposed rules would impose compliance costs for
registrants. Registrants would incur one-time and ongoing costs to
fulfill the proposed new disclosure requirements under Items 106 and
407 of Regulation S-K. These costs would include costs to gather the
information and prepare the disclosures.
Registrants would also incur compliance costs to fulfill the
proposed disclosure requirements related to Form 8-K (Form 6-K for
FPIs) incident reporting and Form 10-Q/10-K (Form 20-F for FPIs)
ongoing reporting.\153\ These costs include one-time costs to implement
or revise their incident disclosure practices, so that any registrant
that determines it has experienced a material cybersecurity incident
would disclose such incident with the required information within four
business days. Registrants would also incur ongoing costs to disclose
in a periodic report any material changes, additions, or updates
relating to previously disclosed incidents, and to monitor whether any
previously undisclosed immaterial cybersecurity incidents have become
material in the aggregate, triggering a disclosure obligation. The
costs would be mitigated for registrants whose current disclosure
practices match or are similar to those that are proposed. To the
extent that registrants fall under other incident reporting
requirements or cybersecurity risk management, strategy, and governance
mandates as outlined in Section III.B.1, their costs from the proposed
amendments would be mitigated as well.
---------------------------------------------------------------------------
\153\ We note that the compliance costs related to Form 6-K
filings would be mitigated, because a condition of the form is that
the information is disclosed or required to be disclosed elsewhere.
---------------------------------------------------------------------------
We note that BDCs could be subject to both the proposed rules and
rule amendments in the Investment Management Cybersecurity Proposing
Release \154\ and those proposed in this release if both proposals were
to be adopted. To the extent that BDCs would need to provide
substantively the same or similar disclosure on both Form 8-K and in
registration statements, the compliance costs could be duplicative.
However, the potential duplication should not result in a significant
increase in compliance costs, because BDCs should be able to provide
similar disclosure for both sets of rules.\155\
---------------------------------------------------------------------------
\154\ See Investment Management Cybersecurity Proposing Release.
\155\ See infra section VI.E.
---------------------------------------------------------------------------
The compliance costs would also include costs attributable to the
Inline XBRL tagging requirements. Various preparation solutions have
been developed and used by operating companies to fulfill XBRL
requirements, and some evidence suggests that, for smaller companies,
XBRL compliance costs have decreased over time.\156\ The incremental
compliance costs associated with Inline XBRL tagging of cybersecurity
disclosures would also be mitigated by the fact that most registrants
who would be subject to the proposed requirements are already subject
to other Inline XBRL requirements for other disclosures in Commission
filings, including financial statement and cover page disclosures in
certain periodic reports and registration statements.\157\ Such
registrants may be able to leverage existing Inline XBRL preparation
processes and expertise in complying with the proposed cybersecurity
disclosure tagging requirements. Asset-backed securities issuers,
however, are not subject to Inline XBRL requirements in Commission
filings and would likely incur initial Inline XBRL compliance
implementation costs (such as the cost of training in-house staff to
prepare filings in Inline XBRL, and the cost to license Inline XBRL
filing preparation software from vendors).\158\
---------------------------------------------------------------------------
\156\ An AICPA survey of 1,032 reporting companies with $75
million or less in market capitalization in 2018 found an average
cost of $5,850 per year, a median cost of $2,500 per year, and a
maximum cost of $51,500 per year for fully outsourced XBRL creation
and filing, representing a 45% decline in average cost and a 69%
decline in median cost since 2014. See Michael Cohn, AICPA Sees 45%
Drop in XBRL Costs for Small Companies, Accounting Today (Aug. 15,
2018) (stating that a 2018 NASDAQ survey of 151 listed registrants
found an average XBRL compliance cost of $20,000 per quarter, a
median XBRL compliance cost of $7,500 per quarter, and a maximum,
XBRL compliance cost of $350,000 per quarter in XBRL costs per
quarter), available at <a href="https://www.accountingtoday.com/news/aicpa-sees-45-drop-in-xbrl-costs-for-small-reporting-companies">https://www.accountingtoday.com/news/aicpa-sees-45-drop-in-xbrl-costs-for-small-reporting-companies</a> (retrieved
from Factiva database); Letter from Nasdaq, Inc. (March 21, 2019)
(to the Request for Comment on Earnings Releases and Quarterly
Reports); see Release No. 33-10588 (Dec. 18, 2018) [83 FR 65601
(Dec. 21, 2018)].
\157\ See 17 CFR 229.601(b)(101) and 17 CFR 232.405 (for
requirements related to tagging financial statements, including
footnotes and schedules in Inline XBRL). See 17 CFR 229.601(b)(104)
and 17 CFR 232.406 (for requirements related to tagging cover page
disclosures in Inline XBRL).
\158\ See infra section IV.
---------------------------------------------------------------------------
Other than the Paperwork Reduction Act costs discussed in Section
IV below, we are unable to quantify the potential increase in costs
related to the proposed rules due to the lack of da
[…truncated; see source link]Indexed from Federal Register on March 23, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.