Rule2023-16194
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
August 4, 2023
Effective
September 5, 2023
Issuing agencies
Securities and Exchange Commission
Abstract
The Securities and Exchange Commission ("Commission") is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant's processes to assess, identify, and manage material cybersecurity risks, management's role in assessing and managing material cybersecurity risks, and the board of directors' oversight of cybersecurity risks. Lastly, the final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language ("Inline XBRL").
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 149 (Friday, August 4, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 149 (Friday, August 4, 2023)]
[Rules and Regulations]
[Pages 51896-51945]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-16194]
[[Page 51895]]
Vol. 88
Friday,
No. 149
August 4, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 229, 232, 239, et al.
Cybersecurity Risk Management, Strategy, Governance, and Incident
Disclosure; Final Rule
��Federal Register / Vol. 88 , No. 149 / Friday, August 4, 2023 / Rules
and Regulations��
[[Page 51896]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 229, 232, 239, 240, and 249
[Release Nos. 33-11216; 34-97989; File No. S7-09-22]
RIN 3235-AM89
Cybersecurity Risk Management, Strategy, Governance, and Incident
Disclosure
AGENCY: Securities and Exchange Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
adopting new rules to enhance and standardize disclosures regarding
cybersecurity risk management, strategy, governance, and incidents by
public companies that are subject to the reporting requirements of the
Securities Exchange Act of 1934. Specifically, we are adopting
amendments to require current disclosure about material cybersecurity
incidents. We are also adopting rules requiring periodic disclosures
about a registrant's processes to assess, identify, and manage material
cybersecurity risks, management's role in assessing and managing
material cybersecurity risks, and the board of directors' oversight of
cybersecurity risks. Lastly, the final rules require the cybersecurity
disclosures to be presented in Inline eXtensible Business Reporting
Language (``Inline XBRL'').
DATES:
Effective date: The amendments are effective September 5, 2023.
Compliance dates: See Section II.I (Compliance Dates).
FOR FURTHER INFORMATION CONTACT: Nabeel Cheema, Special Counsel, at
(202) 551-3430, in the Office of Rulemaking, Division of Corporation
Finance; and, with respect to the application of the rules to business
development companies, David Joire, Senior Special Counsel, at (202)
551-6825 or <a href="/cdn-cgi/l/email-protection#eba2a6a4a8a8ab988e88c58c849d"><span class="__cf_email__" data-cfemail="0e4743414d4d4e7d6b6d20696178">[email protected]</span></a>, Chief Counsel's Office, Division of
Investment Management, U.S. Securities and Exchange Commission, 100 F
Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: We are adopting amendments to:
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
----------------------------------------------------------------------------------------------------------------
Regulation S-K..................... ..................... Sec. Sec. 229.10 through 229.1305.
Items 106 and 601.... Sec. Sec. 229.106 and 229.601.
Regulation S-T..................... ..................... Sec. Sec. 232.10 through 232.903.
Rule 405............. Sec. 232.405.
Securities Act of 1933 Form S-3............. Sec. 239.13.
(``Securities Act'') \1\.
Securities Exchange Act of 1934 Rule 13a-11.......... Sec. 240.13a-11.
(``Exchange Act'') \2\.
Rule 15d-11.......... Sec. 240.15d-11.
Form 20-F............ Sec. 249.220f.
Form 6-K............. Sec. 249.306.
Form 8-K............. Sec. 249.308.
Form 10-K............ Sec. 249.310.
----------------------------------------------------------------------------------------------------------------
Table of Contents
---------------------------------------------------------------------------
\1\ 15 U.S.C. 77a et seq.
\2\ 15 U.S.C. 78a et seq.
---------------------------------------------------------------------------
I. Introduction and Background
II. Discussion of Final Amendments
A. Disclosure of Cybersecurity Incidents on Current Reports
1. Proposed Amendments
2. Comments
3. Final Amendments
B. Disclosures About Cybersecurity Incidents in Periodic Reports
1. Proposed Amendments
2. Comments
3. Final Amendments
C. Disclosure of a Registrant's Risk Management, Strategy and
Governance Regarding Cybersecurity Risks
1. Risk Management and Strategy
a. Proposed Amendments
b. Comments
c. Final Amendments
2. Governance
a. Proposed Amendments
b. Comments
c. Final Amendments
3. Definitions
a. Proposed Definitions
b. Comments
c. Final Definitions
D. Disclosure Regarding the Board of Directors' Cybersecurity
Expertise
1. Proposed Amendments
2. Comments
3. Final Amendments
E. Disclosure by Foreign Private Issuers
1. Proposed Amendments
2. Comments
3. Final Amendments
F. Structured Data Requirements
1. Proposed Amendments
2. Comments
3. Final Amendments
G. Applicability to Certain Issuers
1. Asset-Backed Issuers
2. Smaller Reporting Companies
H. Need for New Rules and Commission Authority
I. Compliance Dates
III. Other Matters
IV. Economic Analysis
A. Introduction
B. Economic Baseline
1. Current Regulatory Framework
2. Affected Parties
C. Benefits and Costs of the Final Rules
1. Benefits
a. More Timely and Informative Disclosure
b. Greater Uniformity and Comparability
2. Costs
3. Indirect Economic Effects
D. Effects on Efficiency, Competition, and Capital Formation
E. Reasonable Alternatives
1. Website Disclosure
2. Disclosure Through Periodic Reports
3. Exempt Smaller Reporting Companies
V. Paperwork Reduction Act
A. Summary of the Collections of Information
B. Summary of Comment Letters and Revisions to PRA Estimates
C. Effects of the Amendments on the Collections of Information
D. Incremental and Aggregate Burden and Cost Estimates for the
Final Amendments
VI. Final Regulatory Flexibility Analysis
A. Need for, and Objectives of, the Final Amendments
B. Significant Issues Raised by Public Comments
1. Estimate of Affected Small Entities and Impact to Those
Entities
2. Consideration of Alternatives
C. Small Entities Subject to the Final Amendments
D. Projected Reporting, Recordkeeping, and other Compliance
Requirements
E. Agency Action To Minimize Effect on Small Entities
Statutory Authority
I. Introduction and Background
On March 9, 2022, the Commission proposed new rules, and rule and
form amendments, to enhance and standardize disclosures regarding
cybersecurity risk management, strategy, governance, and cybersecurity
incidents by public companies that are subject to the reporting
requirements of the
[[Page 51897]]
Exchange Act.\3\ The proposal followed on interpretive guidance on the
application of existing disclosure requirements to cybersecurity risk
and incidents that the Commission and staff had issued in prior years.
---------------------------------------------------------------------------
\3\ See Cybersecurity Risk Management, Strategy, Governance, and
Incident Disclosure, Release No. 33-11038 (Mar. 9, 2022) [87 FR
16590 (Mar. 23, 2022)] (``Proposing Release'').
---------------------------------------------------------------------------
In particular, in 2011, the Division of Corporation Finance issued
interpretive guidance providing the Division's views concerning
operating companies' disclosure obligations relating to cybersecurity
(``2011 Staff Guidance'').\4\ In that guidance, the staff observed that
``[a]lthough no existing disclosure requirement explicitly refers to
cybersecurity risks and cyber incidents, a number of disclosure
requirements may impose an obligation on registrants to disclose such
risks and incidents,'' and further that ``material information
regarding cybersecurity risks and cyber incidents is required to be
disclosed when necessary in order to make other required disclosures,
in light of the circumstances under which they are made, not
misleading.'' \5\ The guidance pointed specifically to disclosure
obligations under 17 CFR 229.503 (Regulation S-K ``Item 503(c)'') (Risk
factors) (since moved to 17 CFR 229.105 (Regulation S-K ``Item 105'')),
17 CFR 229.303 (Regulation S-K ``Item 303'') (Management's discussion
and analysis of financial condition and results of operations), 17 CFR
229.101 (Regulation S-K ``Item 101'') (Description of business), 17 CFR
229.103 (Regulation S-K ``Item 103'') (Legal proceedings), and 17 CFR
229.307 (Disclosure controls and procedures), as well as to Accounting
Standards Codifications 350-40 (Internal-Use Software), 605-50
(Customer Payments and Incentives), 450-20 (Loss Contingencies), 275-10
(Risks and Uncertainties), and 855-10 (Subsequent Events).\6\
---------------------------------------------------------------------------
\4\ See CF Disclosure Guidance: Topic No. 2--Cybersecurity (Oct.
13, 2011), available at <a href="https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm">https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm</a>.
\5\ Id.
\6\ Id.
---------------------------------------------------------------------------
In 2018, ``[i]n light of the increasing significance of
cybersecurity incidents,'' the Commission issued interpretive guidance
to reinforce and expand upon the 2011 Staff Guidance and also address
the importance of cybersecurity policies and procedures, as well as the
application of insider trading prohibitions in the context of
cybersecurity (``2018 Interpretive Release'').\7\ In addition to
discussing the provisions previously covered in the 2011 Staff
Guidance, the new guidance addressed 17 CFR 229.407 (Regulation S-K
``Item 407'') (Corporate Governance), 17 CFR part 210 (``Regulation S-
X''), and 17 CFR part 243 (``Regulation FD'').\8\ The 2018 Interpretive
Release noted that companies can provide current reports on Form 8-K
and Form 6-K to maintain the accuracy and completeness of effective
shelf registration statements, and it also advised companies to
consider whether it may be appropriate to implement restrictions on
insider trading during the period following an incident and prior to
disclosure.\9\
---------------------------------------------------------------------------
\7\ See Commission Statement and Guidance on Public Company
Cybersecurity Disclosures, Release No. 33-10459 (Feb. 21, 2018) [83
FR 8166 (Feb. 26, 2018)], at 8167.
\8\ Id.
\9\ Id.
---------------------------------------------------------------------------
As noted in the Proposing Release, current disclosure practices are
varied. For example, while some registrants do report material
cybersecurity incidents, most typically on Form 10-K, review of Form 8-
K, Form 10-K, and Form 20-F filings by staff in the Division of
Corporation Finance has shown that companies provide different levels
of specificity regarding the cause, scope, impact, and materiality of
cybersecurity incidents. Likewise, staff has also observed that, while
the majority of registrants that are disclosing cybersecurity risks
appear to be providing such disclosures in the risk factor section of
their annual reports on Form 10-K, the disclosures are sometimes
included with other unrelated disclosures, which makes it more
difficult for investors to locate, interpret, and analyze the
information provided.\10\
---------------------------------------------------------------------------
\10\ See infra Section IV.A (noting that current cybersecurity
disclosures appear in varying sections of companies' periodic and
current reports and are sometimes included with other unrelated
disclosures).
---------------------------------------------------------------------------
In the Proposing Release, the Commission explained that a number of
trends underpinned investors' and other capital markets participants'
need for more timely and reliable information related to registrants'
cybersecurity than was produced following the 2011 Staff Guidance and
the 2018 Interpretive Release. First, an ever-increasing share of
economic activity is dependent on electronic systems, such that
disruptions to those systems can have significant effects on
registrants and, in the case of large-scale attacks, systemic effects
on the economy as a whole.\11\ Second, there has been a substantial
rise in the prevalence of cybersecurity incidents, propelled by several
factors: the increase in remote work spurred by the COVID-19 pandemic;
the increasing reliance on third-party service providers for
information technology services; and the rapid monetization of
cyberattacks facilitated by ransomware, black markets for stolen data,
and crypto-asset technology.\12\ Third, the costs and adverse
consequences of cybersecurity incidents to companies are increasing;
such costs include business interruption, lost revenue, ransom
payments, remediation costs, liabilities to affected parties,
cybersecurity protection costs, lost assets, litigation risks, and
reputational damage.\13\
---------------------------------------------------------------------------
\11\ Proposing Release at 16591-16592. See also U.S. Financial
Stability Oversight Council, Annual Report (2021), at 168, available
at <a href="https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf">https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf</a> (finding that ``a destabilizing
cybersecurity incident could potentially threaten the stability of
the U.S. financial system'').
\12\ Proposing Release at 16591-16592.
\13\ Id.
---------------------------------------------------------------------------
Since publication of the Proposing Release, these trends have
continued apace, with significant cybersecurity incidents occurring
across companies and industries. For example, threat actors repeatedly
and successfully executed attacks on high-profile companies across
multiple critical industries over the course of 2022 and the first
quarter of 2023, causing the Department of Homeland Security's Cyber
Safety Review Board to initiate multiple reviews.\14\ Likewise, state
actors have perpetrated multiple high-profile attacks, and recent
geopolitical instability has elevated such threats.\15\ A recent study
by two cybersecurity firms found that 98 percent of organizations use
at least one third-party vendor that
[[Page 51898]]
has experienced a breach in the last two years.\16\ In addition, recent
developments in artificial intelligence may exacerbate cybersecurity
threats, as researchers have shown that artificial intelligence systems
can be leveraged to create code used in cyberattacks, including by
actors not versed in programming.\17\ Overall, evidence suggests
companies may be underreporting cybersecurity incidents.\18\
---------------------------------------------------------------------------
\14\ See Department of Homeland Security, Cyber Safety Review
Board to Conduct Second Review on Lapsus$ (Dec. 2, 2022), available
at <a href="https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus">https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus</a>; see also Tim Starks, The Latest Mass
Ransomware Attack Has Been Unfolding For Nearly Two Months, Wash.
Post (Mar. 27, 2023), available at <a href="https://www.washingtonpost.com/politics/2023/03/27/latest-mass-ransomware-attack-has-been-unfolding-nearly-two-months/">https://www.washingtonpost.com/politics/2023/03/27/latest-mass-ransomware-attack-has-been-unfolding-nearly-two-months/</a>.
\15\ See, e.g., Press Release, Federal Bureau of Investigation,
FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's
Horizon Bridge Currency Theft (Jan. 23, 2023), available at <a href="https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft">https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft</a>; Alert
(AA22-257A), Cybersecurity & Infrastructure Security Agency, Iranian
Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting
Vulnerabilities for Data Extortion and Disk Encryption for Ransom
Operations (Sep. 14, 2022), available at <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-257a">https://www.cisa.gov/uscert/ncas/alerts/aa22-257a</a>; National Security Agency et al., Joint
Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber
Threats to Critical Infrastructure (Apr. 20, 2022), available at
<a href="https://media.defense.gov/2022/Apr/20/2002980529/-1/-1/1/joint_csa_russian_state-sponsored_and_criminal_cyber_threats_to_critical_infrastructure_20220420.pdf">https://media.defense.gov/2022/Apr/20/2002980529/-1/-1/1/joint_csa_russian_state-sponsored_and_criminal_cyber_threats_to_critical_infrastructure_20220420.pdf</a>.
\16\ SecurityScorecard, Cyentia Institute and SecurityScorecard
Research Report: Close Encounters of the Third (and Fourth) Party
Kind (Feb 1, 2023), available at <a href="https://securityscorecard.com/research/cyentia-close-encounters-of-the-third-and-fourth-party-kind/">https://securityscorecard.com/research/cyentia-close-encounters-of-the-third-and-fourth-party-kind/</a>.
\17\ Check Point Research, OPWNAI: AI that Can Save the Day or
Hack it Away (Dec. 19, 2022), available at <a href="https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away">https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away</a>.
\18\ Bitdefender, Whitepaper: Bitdefender 2023 Cybersecurity
Assessment (Apr. 2023), available at <a href="https://businessresources.bitdefender.com/bitdefender-2023-cybersecurity-assessment">https://businessresources.bitdefender.com/bitdefender-2023-cybersecurity-assessment</a>.
---------------------------------------------------------------------------
Legislatively, we note two significant developments occurred
following publication of the Proposing Release. First, the President
signed into law the Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (``CIRCIA'') \19\ on March 15, 2022, as part
of the Consolidated Appropriations Act of 2022.\20\ The centerpiece of
CIRCIA is the reporting obligation placed on companies in defined
critical infrastructure sectors.\21\ Once rules are adopted by the
Cybersecurity & Infrastructure Security Agency (``CISA''), these
companies will be required to report covered cyber incidents to CISA
within 72 hours of discovery, and report ransom payments within 24
hours.\22\ Importantly, reports made to CISA pursuant to CIRCIA will
remain confidential; while the information contained therein may be
shared across Federal agencies for cybersecurity, investigatory, and
law enforcement purposes, the information may not be disclosed
publicly, except in anonymized form.\23\ We note that CIRCIA also
mandated the creation of a ``Cyber Incident Reporting Council . . . to
coordinate, deconflict, and harmonize Federal incident reporting
requirements'' (the ``CIRC''), of which the Commission is a member.\24\
Second, on December 21, 2022, the President signed into law the Quantum
Computing Cybersecurity Preparedness Act, which directs the Federal
Government to adopt technology that is protected from decryption by
quantum computing, a developing technology that may increase computer
processing capacity considerably and thereby render existing computer
encryption vulnerable to decryption.\25\
---------------------------------------------------------------------------
\19\ Cyber Incident Reporting for Critical Infrastructure Act of
2022, Public Law 117-103, 136 Stat. 1038 (2022).
\20\ Consolidated Appropriations Act of 2022, H.R. 2471, 117th
Cong. (2022).
\21\ The sectors are defined in Presidential Policy Directive/
PPD-21, Critical Infrastructure Security and Resilience (Feb. 12,
2013), as: Chemical; Commercial Facilities; Communications; Critical
Manufacturing; Dams; Defense Industrial Base; Emergency Services;
Energy; Financial Services; Food and Agriculture; Government
Facilities; Healthcare and Public Health; Information Technology;
Nuclear Reactors, Materials, and Waste; Transportation Systems;
Water and Wastewater Systems. Because these sectors encompass some
private companies and do not encompass all public companies,
CIRCIA's reach is both broader and narrower than the set of
companies subject to the rules we are adopting.
\22\ 6 U.S.C. 681b(a)(1).
\23\ 6 U.S.C. 681e. See infra Section II.A.3 for a discussion of
why our final rules serve a different purpose and are not at odds
with the goals of CIRCIA.
\24\ 6 U.S.C. 681f.
\25\ Quantum Computing Cybersecurity Preparedness Act, H.R.
7535, 117th Cong. (2022). More recently, the White House released a
National Cybersecurity Strategy to combat the ongoing risks
associated with cyberattacks. The National Cybersecurity Strategy
seeks to rebalance the responsibility for defending against cyber
threats toward companies instead of the general public, and looks to
realign incentives to favor long-term investments in cybersecurity.
See Press Release, White House, FACT SHEET: Biden-Harris
Administration Announces National Cybersecurity Strategy (Mar. 2,
2023), available at <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/">https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/</a>.
---------------------------------------------------------------------------
We received over 150 comment letters in response to the Proposing
Release.\26\ The majority of comments focused on the proposed incident
disclosure requirement, although we also received substantial comment
on the proposed risk management, strategy, governance, and board
expertise requirements. In addition, the Commission's Investor Advisory
Committee adopted recommendations (``IAC Recommendation'') with respect
to the proposal, stating that it: supports the proposed incident
disclosure requirement; supports the proposed risk management,
strategy, and governance disclosure requirements; recommends the
Commission reconsider the proposed board of directors' cybersecurity
expertise disclosure requirement; suggests requiring companies to
disclose the key factors they used to determine the materiality of a
reported cybersecurity incident; and suggests extending the proposed 17
CFR 229.106 (Regulation S-K ``Item 106'') disclosure requirements to
registration statements.\27\
---------------------------------------------------------------------------
\26\ The public comments we received are available at <a href="https://www.sec.gov/comments/s7-09-22/s70922.htm">https://www.sec.gov/comments/s7-09-22/s70922.htm</a>. On Mar. 9, 2022, the
Commission published the Proposing Release on its website. The
comment period for the Proposing Release was open for 60 days from
issuance and publication on <a href="http://SEC.gov">SEC.gov</a> and ended on May 9, 2022. One
commenter asserted that the comment period was not sufficient and
asked the Commission to extend it by 30 days. See letter from
American Chemistry Council (``ACC''). In Oct. 2022, the Commission
reopened the comment period for the Proposing Release and other
rulemakings because certain comments on the Proposing Release and
other rulemakings were potentially affected by a technological error
in the Commission's internet comment form. See Resubmission of
Comments and Reopening of Comment Periods for Several Rulemaking
Releases Due to a Technological Error in Receiving Certain Comments,
Release No. 33-11117 (Oct. 7, 2022) [87 FR 63016 (Oct. 18, 2022)]
(``Reopening Release''). The Reopening Release was published on the
Commission's website on Oct. 7, 2022 and in the Federal Register on
Oct. 18, 2022, and the comment period ended on Nov. 1, 2022. A few
commenters asserted that the comment period for the reopened
rulemakings was not sufficient and asked the Commission to extend
the comment period for those rulemakings. See, e.g., letters from
Attorneys General of the states of Montana et al. (Oct. 24, 2022)
and U.S. Chamber of Commerce (Nov. 1, 2022). We have considered all
comments received since Mar. 9, 2022 and do not believe an
additional extension of the comment period is necessary.
\27\ See U.S. Securities and Exchange Commission Investor
Advisory Committee, Recommendation of the Investor as Owner
Subcommittee and Disclosure Subcommittee of the SEC Investor
Advisory Committee Regarding Cybersecurity Risk Management,
Strategy, Governance, and Incident Disclosure (Sept. 21, 2022),
available at <a href="https://www.sec.gov/spotlight/investor-advisory-committee-2012/20220921-cybersecurity-disclosure-recommendation.pdf">https://www.sec.gov/spotlight/investor-advisory-committee-2012/20220921-cybersecurity-disclosure-recommendation.pdf</a>.
The Investor Advisory Committee also held a panel discussion on
cybersecurity at its Mar. 10, 2022 meeting. See U.S. Securities and
Exchange Commission Investor Advisory Committee, Meeting Agenda
(Mar. 10, 2022), available at <a href="https://www.sec.gov/spotlight/investor-advisory-committee/iac031022-agenda.htm">https://www.sec.gov/spotlight/investor-advisory-committee/iac031022-agenda.htm</a>.
---------------------------------------------------------------------------
We are making a number of important changes from the Proposing
Release in response to comments received. With respect to incident
disclosure, we are narrowing the scope of disclosure, adding a limited
delay for disclosures that would pose a substantial risk to national
security or public safety, requiring certain updated incident
disclosure on an amended Form 8-K instead of Forms 10-Q and 10-K for
domestic registrants, and on Form 6-K instead of Form 20-F for foreign
private issuers (``FPIs''),\28\ and omitting the proposed aggregation
of immaterial incidents for materiality analyses. We are streamlining
the proposed disclosure elements related to risk management, strategy,
and governance, and we are not adopting the proposed requirement to
disclose board cybersecurity expertise. The following
[[Page 51899]]
table summarizes the requirements we are adopting, including changes
from the Proposing Release, as described more fully in Section II
below: \29\
---------------------------------------------------------------------------
\28\ An FPI is any foreign issuer other than a foreign
government, except for an issuer that (1) has more than 50 percent
of its outstanding voting securities held of record by U.S.
residents; and (2) any of the following: (i) a majority of its
executive officers or directors are citizens or residents of the
United States; (ii) more than 50 percent of its assets are located
in the United States; or (iii) its business is principally
administered in the United States. 17 CFR 230.405. See also 17 CFR
240.3b-4(c).
\29\ The information in this table is not comprehensive and is
intended only to highlight some of the more significant aspects of
the final amendments. It does not reflect all of the amendments or
all of the rules and forms that are affected by the final
amendments, which are discussed in detail below. As such, this table
should be read together with the entire release, including the
regulatory text.
------------------------------------------------------------------------
Summary description of the disclosure
Item requirement \30\
------------------------------------------------------------------------
Regulation S-K Item 106(b)-- Registrants must describe their
Risk management and strategy. processes, if any, for the assessment,
identification, and management of
material risks from cybersecurity
threats, and describe whether any risks
from cybersecurity threats have
materially affected or are reasonably
likely to materially affect their
business strategy, results of
operations, or financial condition.
Regulation S-K Item 106(c)-- Registrants must:
Governance. --Describe the board's oversight of risks
from cybersecurity threats.
--Describe management's role in assessing
and managing material risks from
cybersecurity threats.
Form 8-K Item 1.05--Material Registrants must disclose any
Cybersecurity Incidents. cybersecurity incident they experience
that is determined to be material, and
describe the material aspects of its:
--Nature, scope, and timing; and
--Impact or reasonably likely impact.
An Item 1.05 Form 8-K must be filed
within four business days of determining
an incident was material. A registrant
may delay filing as described below, if
the United States Attorney General
(``Attorney General'') determines
immediate disclosure would pose a
substantial risk to national security or
public safety.
Registrants must amend a prior Item 1.05
Form 8-K to disclose any information
called for in Item 1.05(a) that was not
determined or was unavailable at the
time of the initial Form 8-K filing.
Form 20-F.................... FPIs must:
--Describe the board's oversight of risks
from cybersecurity threats.
--Describe management's role in assessing
and managing material risks from
cybersecurity threats.
Form 6-K..................... FPIs must furnish on Form 6-K information
on material cybersecurity incidents that
they disclose or otherwise publicize in
a foreign jurisdiction, to any stock
exchange, or to security holders.
------------------------------------------------------------------------
Overall, we remain persuaded that, as detailed in the Proposing
Release: under-disclosure regarding cybersecurity persists despite the
Commission's prior guidance; investors need more timely and consistent
cybersecurity disclosure to make informed investment decisions; and
recent legislative and regulatory developments elsewhere in the Federal
Government, including those developments subsequent to the issuance of
the Proposing Release such as CIRCIA \31\ and the Quantum Computing
Cybersecurity Preparedness Act,32 while serving related purposes, will
not effectuate the level of public cybersecurity disclosure needed by
investors in public companies.
---------------------------------------------------------------------------
\30\ For purposes of this release, the terms ``public
companies,'' ``companies,'' and ``registrants'' include issuers that
are business development companies as defined in section 2(a)(48) of
the Investment Company Act of 1940, which are a type of closed-end
investment company that is not registered under the Investment
Company Act, but do not include investment companies registered
under that Act.
\31\ Supra note 19.
---------------------------------------------------------------------------
II. Discussion of Final Amendments
A. Disclosure of Cybersecurity Incidents on Current Reports
1. Proposed Amendments
The Commission proposed to amend Form 8-K by adding new Item 1.05
that would require a registrant to disclose the following information
regarding a material cybersecurity incident, to the extent known at the
time of filing:
<bullet> When the incident was discovered and whether it is
ongoing;
<bullet> A brief description of the nature and scope of the
incident;
<bullet> Whether any data were stolen, altered, accessed, or used
for any other unauthorized purpose;
<bullet> The effect of the incident on the registrant's operations;
and
<bullet> Whether the registrant has remediated or is currently
remediating the incident.\33\
---------------------------------------------------------------------------
\33\ Proposing Release at 16595.
---------------------------------------------------------------------------
The Commission clarified in the Proposing Release that this
requirement would not extend to specific, technical information about
the registrant's planned response to the incident or its cybersecurity
systems, related networks and devices, or potential system
vulnerabilities in such detail as would impede the registrant's
response or remediation of the incident.\34\
---------------------------------------------------------------------------
\34\ Id.
---------------------------------------------------------------------------
The Commission proposed to set the filing trigger for Item 1.05 as
the date the registrant determines that a cybersecurity incident is
material; as with all other Form 8-K items, the proposed filing
deadline would be four business days after the trigger.\35\ To protect
against any inclination on the part of a registrant to delay making a
materiality determination with a view toward prolonging the filing
deadline, the Commission proposed adding Instruction 1 to Item 1.05
requiring that ``a registrant shall make a materiality determination
regarding a cybersecurity incident as soon as reasonably practicable
after discovery of the incident.'' \36\
---------------------------------------------------------------------------
\35\ Id.
\36\ Id. at 16596.
---------------------------------------------------------------------------
The Commission affirmed in the Proposing Release that the
materiality standard registrants should apply in evaluating whether a
Form 8-K would be triggered under proposed Item 1.05 would be
consistent with that set out in the numerous cases addressing
materiality in the securities laws, including TSC Industries, Inc. v.
Northway, Inc.,\37\ Basic, Inc. v. Levinson,\38\ and Matrixx
Initiatives, Inc. v. Siracusano,\39\ and likewise with that set forth
in 17 CFR 230.405 (``Securities
[[Page 51900]]
Act Rule 405'') and 17 CFR 240.12b-2 (``Exchange Act Rule 12b-2'').
That is, information is material if ``there is a substantial likelihood
that a reasonable shareholder would consider it important'' \40\ in
making an investment decision, or if it would have ``significantly
altered the `total mix' of information made available.'' \41\ ``Doubts
as to the critical nature'' of the relevant information should be
``resolved in favor of those the statute is designed to protect,''
namely investors.\42\
---------------------------------------------------------------------------
\37\ TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).
\38\ Basic Inc. v. Levinson, 485 U.S. 224, 232 (1988).
\39\ Matrixx Initiatives v. Siracusano, 563 U.S. 27 (2011).
\40\ TSC Indus., 426 U.S. at 449.
\41\ Id.
\42\ Id. at 448.
---------------------------------------------------------------------------
The Commission explained that the timely disclosure of the
information required by proposed Item 1.05 would enable investors and
other market participants to assess the possible effects of a material
cybersecurity incident on the registrant, including any short- and
long-term financial effects or operational effects, resulting in
information useful for their investment decisions.\43\ Aligning the
deadline for Item 1.05 with that of the other Form 8-K items would, the
Commission maintained, significantly improve the timeliness of
cybersecurity incident disclosures as well as standardize those
disclosures.\44\ The Commission did not propose to provide a reporting
delay in cases of ongoing internal or external investigations of
cybersecurity incidents.\45\ Nevertheless, the Proposing Release
requested comment on whether to allow a delay in reporting where the
Attorney General determines that a delay is in the interest of national
security.\46\
---------------------------------------------------------------------------
\43\ Proposing Release at 16595.
\44\ Id.
\45\ Id. at 16596.
\46\ Id. at 16598.
---------------------------------------------------------------------------
2. Comments
Proposed Item 1.05 received a significant amount of feedback from
commenters. Some commenters supported Item 1.05 as proposed,\47\ saying
that the current level of disclosure on cybersecurity incidents is
inadequate to meet investor needs, and Item 1.05 would remedy this
inadequacy by effectuating the disclosure of decision-useful
information.\48\ One commenter also anticipated that Item 1.05 would
reduce the risk of insider trading by shortening the time between
discovery of an incident and public disclosure.\49\
---------------------------------------------------------------------------
\47\ See letters from American Institute of CPAs (``AICPA'');
Better Markets (``Better Markets''); BitSight Technologies, Inc.
(``BitSight''); California Public Employees' Retirement System
(``CalPERS''); Crindata, LLC (``Crindata''); Council of
Institutional Investors (``CII''); Information Technology and
Innovation Foundation (``ITIF''); North American Securities
Administrators Association Inc. (``NASAA''); Professor Jerry Perullo
(``Prof. Perullo''); Professor Preeti Choudhary (``Prof.
Choudhary''); Tessa Mishoe (``T. Mishoe''). See also IAC
Recommendation.
\48\ Id.
\49\ See letter from Better Markets.
---------------------------------------------------------------------------
Other commenters opposed proposed Item 1.05, for several reasons.
Some commenters said that if proposed Item 1.05 were to result in
disclosure while an incident is still ongoing, it would tip off the
threat actor and thus make successful neutralization of the incident
more difficult.\50\ Commenters also expressed concern that public
notice of a vulnerability could draw attacks from other threat actors
who were previously unaware of the vulnerability; and such attacks
could target the disclosing registrant or other companies with the same
vulnerability, particularly if the vulnerability is with a third-party
service provider used by multiple companies.\51\ Some of these
commenters objected specifically to the requirement in Item 1.05 to
disclose whether remediation has occurred, stating that this
information could assist threat actors in their targeting or invite
further targeted attacks,\52\ while others more generally stated that
the Item 1.05 disclosure would be overly detailed, such that it would
give a road map to threat actors for planning attacks.\53\ One
commenter argued that the prospect of possibly having to file an Item
1.05 Form 8-K could chill threat information sharing within industries,
because companies would fear that any cybersecurity risk information
they share could later be used to question their disclosure
decisions.\54\
---------------------------------------------------------------------------
\50\ See letters from ACC; American Gas Association and
Interstate Natural Gas Association of America (``AGA/INGAA'');
BioTechnology Innovation Organization (``BIO''); Bank Policy
Institute, American Bankers Association, and Mid-Size Bank Coalition
of America (``BPI et al.''); BSA/The Software Alliance (``BSA'');
Business Roundtable (``Business Roundtable''); Canadian Bankers
Association (``CBA''); Edison Electric Institute (``EEI''); Energy
Infrastructure Council (``EIC''); Federation of American Hospitals
(``FAH''); Financial Services Sector Coordinating Council
(``FSSCC''); Information Technology Industry Council (``ITI''); LTSE
Services, Inc. (``LTSE''); National Association of Manufacturers
(``NAM''); National Defense Industrial Association (``NDIA''); Quest
Diagnostics Incorporated (``Quest''); Rapid7, Inc. (``Rapid7'');
Society for Corporate Governance (``SCG''); Securities Industry and
Financial Markets Association (``SIFMA''); TransUnion; R Street
Institute (``R Street''); U.S. Chamber of Commerce (``Chamber'').
\51\ See letters from ABA Committee on Federal Regulation of
Securities (``ABA''); Aerospace Industries Association of America
(``AIA''); Alliance for Automotive Innovation (``Auto Innovators'');
AGA/INGAA; American Property Casualty Insurance Association
(``APCIA''); BPI et al.; BSA; Business Roundtable; CBA; Chamber;
Cellular Telecommunications and internet Assoc. (``CTIA'');
Cybersecurity Coalition; EEI; EIC; Empire State Realty Trust, Inc.
(``Empire''); Enbridge Inc. (``Enbridge''); FSSCC; internet Security
Alliance; ITI; Microsoft Corporation (``Microsoft''); NDIA; PPG
Industries, Inc. (``PPG''); PricewaterhouseCoopers LLP (``PWC'');
Rapid7; R Street; SCG; SIFMA; U.S. Senator Rob Portman (``Sen.
Portman''); Virtu Financial (``Virtu'').
\52\ See letters from ABA; AGA/INGAA; BPI et al.; Cybersecurity
Coalition; Empire; Enbridge; PWC; SIFMA; SCG; Virtu.
\53\ See letters from AGA/INGAA; BSA; EIC; ITI; PPG.
\54\ See letter from Consumer Technology Association (``CTA'').
---------------------------------------------------------------------------
Some of the commenters that disagreed with the level of disclosure
required by proposed Item 1.05 recommended that the Commission narrow
the disclosure requirements of the rule. For example, one such
commenter advised dropping the proposed requirement to disclose ``when
the incident was discovered,'' arguing that this detail may cause
confusion, particularly where an incident was detected some time ago
but a significant aspect rendering it material surfaced only
recently.\55\ Another commenter opined that ``whether the registrant
has remediated or is currently remediating the incident'' is
duplicative of ``whether it is ongoing,'' so either of the two could be
eliminated.\56\ One commenter contended that a materiality filter
should be added to the details required by Item 1.05, such that
companies would have to disclose only details that themselves are
material, rather than immaterial details of a material incident.\57\
---------------------------------------------------------------------------
\55\ See letter from Prof. Perullo.
\56\ See letter from ABA.
\57\ See letter from ITI.
---------------------------------------------------------------------------
By contrast, there were also commenters that recommended expanding
the disclosure requirements in the proposed rule. In this regard, some
commenters recommended requiring that registrants disclose asset
losses, intellectual property losses, and the value of business lost
due to the incident.\58\ Other suggestions included requiring that
incidents be quantified as to their severity and impact via
standardized rating systems, and that registrants disclose how they
became aware of the incident, as this may shed light on the
effectiveness of a company's cybersecurity policies and procedures.\59\
Additionally, commenters suggested banning trading by insiders during
the time between the materiality determination and disclosure of the
incident.\60\
---------------------------------------------------------------------------
\58\ See letters from Profs. Rajgopal & Sharpe; PWC.
\59\ See letters from BitSight; Cloud Security Alliance
(``CSA'').
\60\ See letter from Prof. Mitts.
---------------------------------------------------------------------------
Commenters provided reactions to the application of Item 1.05 to
incidents
[[Page 51901]]
connected with third-party systems. A number of commenters contended
that registrants should be exempt from having to disclose cybersecurity
incidents in third-party systems they use because of their reduced
control over such systems.\61\ Similarly, several commenters advocated
for a safe harbor for information disclosed about third-party systems,
given registrants' reduced visibility into such systems.\62\ A few
commenters suggested a longer reporting timeframe for third-party
incidents, because the registrant may be dependent on the third party
for information (which may not be provided in a timely manner), and to
avoid harm to other companies reliant on the same third party.\63\
Commenters also recommended that Item 1.05 be phased in over a longer
period of time with respect to third-party incidents, to give
registrants time to develop information sharing processes with their
third-party service providers.\64\
---------------------------------------------------------------------------
\61\ See letters from ABA; AIA; APCIA; Business Roundtable;
Cybersecurity Coalition; Chamber; EIC; FAH; ISA; ITI; NAM; NDIA;
National Multifamily Housing Council and National Apartment
Association (``NMHC''); Paylocity; SIFMA.
\62\ See letters from Chevron Corporation (``Chevron''); APCIA;
BPI et al.; BIO; CSA; Financial Executive International's Committee
on Corporate Reporting (``FEI''); ITI; ISA; NMHC; SIFMA.
\63\ See letters from ABA; R Street.
\64\ See letters from Business Roundtable; Deloitte & Touche LLP
(``Deloitte'').
---------------------------------------------------------------------------
Commenters also requested guidance or otherwise raised concerns
where the proposed requirements might trigger disclosures by third-
party service providers. A commenter requested clarity on whether an
incident should be disclosed by the third-party service provider
registrant that owns the affected system or the customer registrant
that owns the affected information, or both.\65\ And two commenters
argued that third-party service providers should simply pass along
information to their end customers, who would then make their own
materiality determination and disclose accordingly; this should
particularly be the case, a commenter said, where an attack on a third-
party data center results in a data breach for an end customer but does
not affect the services the data center provides.\66\
---------------------------------------------------------------------------
\65\ See letter from Business Roundtable.
\66\ See letters from BSA; ITI.
---------------------------------------------------------------------------
The proposed timing of incident disclosure also received a
significant level of public comment. For example, a few commenters said
the level of detail required by Item 1.05 is impractical to produce in
the allotted time.\67\ Other commenters said that the proposed deadline
would lead to the disclosure of tentative, unclear, or potentially
inaccurate information that is not decision-useful to investors,\68\
resulting in the market mispricing the underlying securities.\69\
Commenters also argued that Item 1.05 is qualitatively different from
all other Form 8-K items in that the trigger for Item 1.05 is largely
outside the company's control.\70\ Some commenters worried the proposed
deadline would lead to disclosure of ``false positives,'' that is,
incidents that appear material at first but later on with the emergence
of more information turn out not to be material.\71\
---------------------------------------------------------------------------
\67\ See letters from ABA; NMHC; Quest.
\68\ See letters from ABA; ACC; AIA; Auto Innovators; American
Investment Council (``AIC''); BIO; Business Roundtable; CBA;
Chamber; Confidentiality Coalition; CTIA; Davis Polk & Wardwell LLP
(``Davis Polk''); Debevoise & Plimpton (``Debevoise''); Federated
Hermes; FSSCC; Microsoft; NAM; Nasdaq Stock Market, LLC
(``Nasdaq''); NDIA; Quest; SCG; TransUnion; Wilson Sonsini Goodrich
& Rosati (``Wilson Sonsini''); Virtu.
\69\ See letters from ABA; ACC; AIA; AIC; BIO; BPI et al.;
Business Roundtable; Confidentiality Coalition; Davis Polk; ISA;
Nasdaq; PPG; Quest; Rapid7; SCG; Sen. Portman; SIFMA; Virtu.
\70\ See letters from CTIA; Debevoise; EIC; LTSE; New York City
Bar Association (``NYC Bar''); Quest.
\71\ See letters from LTSE; PPG; SCG.
---------------------------------------------------------------------------
Commenters suggested a range of alternative reporting deadlines for
Item 1.05. A common suggestion was to modify the measurement date from
the determination of materiality to another point in the lifecycle of
the incident when the incident is no longer a threat to the
registrant--commenters variously termed this as ``containment,''
``remediation,'' ``mitigation,'' and comparable terms.\72\ One
commenter recommended conditioning a reporting delay on the registrant
being actively engaged in containing the incident and reasonably
believing that containment can be completed in a timely manner.\73\
Similarly, several commenters recommended that the rule allow for a
delay in providing Item 1.05 disclosure based on a registrant's
assessment of the potential negative consequences of public disclosure,
using a variety of measures they suggested.\74\ Another suggestion was
to replace the proposed deadline with an instruction to disclose
material incidents ``without unreasonable delay.'' \75\
---------------------------------------------------------------------------
\72\ See letters from American Council of Life Insurers
(``ACLI''); BCE Inc., Rogers Communications Inc., TELUS Corporation
(``BCE''); BPI et al.; Business Roundtable; Chamber; CTA;
Cybersecurity Coalition; Empire; FAH; Federated Hermes; FSSCC; ISA;
ITI; NAM; Nasdaq; NDIA; NMHC; NYSE Group (``NYSE''); Quest; Rapid7;
Sen. Portman; SCG; SIFMA; SM4RT Secure LLC (``SM4RT Secure'');
TransUnion.
\73\ See letter from Rapid7.
\74\ See letters from BSA (suggesting a ``tailored, balancing
test''); EEI (advocating delay ``to the extent . . . the registrant
in good faith concludes that its disclosure will expose it or others
to ongoing or additional risks of a cybersecurity incident''); EIC;
Microsoft (requesting that companies be allowed to ``manage the
timing'' of disclosure ``when compelling conditions exist such that
premature disclosure would result in greater harm to the company,
its investors, or the national digital ecosystem''); Nareit and The
Real Estate Roundtable (``Nareit'') (stating delay should be
permitted where disclosure ``would exacerbate injury to the company
and/or its shareholders''); SIFMA (advocating a ```responsible
disclosure' exception'' that applies ``where disclosure of a cyber
incident or vulnerability could have a more damaging effect than
delayed disclosure''); Wilson Sonsini (stating ``the Commission
should allow board members to decide to delay reporting if doing so
could cause material harm to the company'').
\75\ See letters from CTIA; National Restaurant Association
(``NRA'').
---------------------------------------------------------------------------
Some commenters recommended instead increasing the number of days
between the reporting trigger and the reporting deadline. A few
commenters recommended adding one business day to make the deadline
five business days; \76\ one noted this would result in every
registrant having at least a full calendar week to gather information
and prepare the Form 8-K.\77\ Another commenter recommended a deadline
of 15 business days, along with a cure period to allow registrants a
defined period of time to fix potential reporting mistakes.\78\ A few
commenters recommended a 30-day deadline,\79\ with their choice of 30
days tending to be a proxy for some other factor, such as containment
or remediation,\80\ or state notification requirements.\81\
---------------------------------------------------------------------------
\76\ See letters from AIC; Debevoise; NYC Bar.
\77\ See letter from AIC.
\78\ See letter from R Street.
\79\ See letters from APCIA; Hunton Andrews Kurth, LLP
(``Hunton''); Rapid7.
\80\ See letters from APCIA (``[w]e believe that permitting a
registrant to delay the filing for a short period of time strikes an
appropriate balance between timely disclosure to shareholders and an
opportunity for a registrant to achieve the best resolution for
itself and its shareholders''); Rapid7 (``[i]n Rapid7's experience,
the vast majority of incidents can be contained and mitigated within
that time frame [30 days]'').
\81\ See letters from APCIA (``[a]llowing up to 30 days for
disclosure would also bring the SEC's proposal in line with data
breach disclosure requirements at the state level''); Hunton
(``[w]hile state data breach notification laws vary from state to
state, 30 days from the cybersecurity incident is the earliest date
any state requires that notification to affected persons be made'').
---------------------------------------------------------------------------
Several commenters recommended addressing the timing concerns by
replacing current reporting on Form 8-K with periodic reporting on
Forms 10-Q and 10-K, to allow additional time to assess an incident's
impact before reporting to markets.\82\ In this vein, one commenter
likened cybersecurity incident disclosure to the disclosure of
[[Page 51902]]
legal proceedings under Regulation S-K Item 103.\83\
---------------------------------------------------------------------------
\82\ See letters from ABA; Davis Polk; Debevoise; LTSE; NYC Bar;
Quest; SCG.
\83\ See letter from Quest.
---------------------------------------------------------------------------
A few commenters recommended instead that the materiality trigger
be replaced with a quantifiable trigger; for example, an incident
implicating a specified percentage of revenue, or the costs of an
incident exceeding a specified benchmark, could trigger disclosure.\84\
Other commenters advocated for the disclosure trigger to be tied to any
legal obligation that forces a registrant to notify persons outside the
company.\85\
---------------------------------------------------------------------------
\84\ See letters from BIO; Bitsight; EIC; Paylocity.
\85\ See letters from ABA; Business Roundtable.
---------------------------------------------------------------------------
Commenters also recommended a number of exceptions to the filing
deadline. The most common recommendation was to include a provision
allowing for delayed filing where there is an active law enforcement
investigation or the disclosure otherwise implicates national security
or public safety.\86\ A representative comment in this vein advanced a
provision whereby registrants may ``delay reporting of a cybersecurity
incident that is the subject of a bona fide investigation by law
enforcement,'' because such ``delay in reporting may not only
facilitate such an investigation, it may be critical to its success.''
\87\
---------------------------------------------------------------------------
\86\ See letters from ABA; ACC; ACLI; AGA/INGAA; AIA; AICPA;
APCIA; Auto Innovators; Rep. Banks; BPI et al.; BIO; BSA; Business
Roundtable; CBA; Chamber; Chevron; CII; CSA; CTA; CTIA;
Cybersecurity Coalition; Debevoise; EEI; EIC; Empire; Enbridge; FAH;
FedEx Corporation (``FedEx''); FEI; FSSCC; Global Privacy Alliance
(``GPA''); Hunton; ISA; ITI; ITIF; Microsoft; NAM; Nareit; NASAA;
NDIA; NMHC; NRA; NYC Bar; Prof. Perullo; Sen. Portman; PPG; PWC;
Quest; R Street; Profs. Rajgopal & Sharpe; Rapid7; SCG; SIFMA;
TransUnion; Virtu; USTelecom--The Broadband Association
(``USTelecom''); U.S. Chamber of Commerce & various associations
(``Chamber et al.'').
\87\ See letter from Debevoise.
---------------------------------------------------------------------------
In calling for a law enforcement delay, associations for industries
in critical sectors emphasized the national security implications of
public cybersecurity incident disclosure. For example, one association
explained that disclosure ``may alert malicious actors that we have
uncovered their illegal activities in circumstances where our defense
and intelligence agencies wish to keep that information secret.'' \88\
Likewise, another association pointed out that, in its industry,
companies ``are likely to possess some of the nation's most critical
confidential information, including cybersecurity threat information
furnished by government entities, such as the Federal Bureau of
Investigation (FBI), the Department of Homeland Security (DHS), and the
National Security Agency (NSA),'' and therefore, disclosure may not be
possible.\89\
---------------------------------------------------------------------------
\88\ See letter from AIA.
\89\ See letter from EEI.
---------------------------------------------------------------------------
Commenters largely advocated for ``a broad law enforcement
exception that applies not only in the interest of national security
but also when law enforcement believes disclosure will hinder their
efforts to identify or capture the threat actor.'' \90\ Many commenters
that responded to the Commission's request for comment regarding a
provision whereby the Attorney General determines that a delay is in
the interest of national security indicated that such a provision
should be more expansive and extend to other law enforcement
authorities.\91\ One of these commenters questioned whether the
Attorney General would opine on matters ``that are under the ambit of
other Federal agencies, such as the Department of Homeland Security,
Department of State and the Department of Defense.'' \92\ Another
commenter pointed out that ``the Department of Justice is not the
primary, or even the lead, organization in the Federal Government for
cybersecurity response, rather the Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency is often the first
call that companies make,'' while ``[f]or defense contractors, the
Department of Defense is likely to have the highest interest in the
timing of an announcement.'' \93\ For the financial industry
specifically, one suggestion was to permit a delay if the Federal
Reserve, Federal Deposit Insurance Corporation, or Office of the
Comptroller of the Currency finds that disclosure would compromise the
safety or soundness of the financial institution or of the financial
system as a whole.\94\
---------------------------------------------------------------------------
\90\ See letter from ABA.
\91\ See letters from BPI et al.; CBA; CSA; Hunton; ITIF; SCG;
Wilson Sonsini.
\92\ See letter from Hunton. This commenter also questioned
whether law enforcement would be inclined to provide a written
determination, particularly within four business days, because in
its experience with State data breach laws, ``the relevant state and
federal law enforcement agencies seldom (if ever) provide written
instructions when the relevant exception comes into play.''
\93\ See letter from Wilson Sonsini.
\94\ See letter from BPI et al. Cf. letter from FSSCC.
---------------------------------------------------------------------------
Some commenters specifically urged that state law enforcement be
included within any delay provision,\95\ and one commenter appeared to
contemplate inclusion of foreign law enforcement.\96\ A few commenters
advocated for a confidential reporting system, whereby a registrant
would initially file a nonpublic report with the Commission while a law
enforcement investigation is ongoing, and then unseal the report upon
the investigation's completion.\97\
---------------------------------------------------------------------------
\95\ See, e.g., letter from ITIF.
\96\ See letter from CBA (stating ``the scope of the
contemplated exemption is indefensibly narrow, particularly for
registrants with operations outside of the United States . . . there
should be an exemption to permit delayed disclosure upon the request
of any competent national, state or local law enforcement
authority'').
\97\ See letters from CSA; Hunton; SCG. See also letter from
LTSE (positing the Regulation SCI disclosure framework as a model
for Item 1.05).
---------------------------------------------------------------------------
A number of commenters provided feedback regarding proposed
Instruction 1, which would have directed registrants to make their
materiality determination regarding an incident ``as soon as reasonably
practicable after discovery of the incident.'' Several commenters
recommended removing the instruction altogether as, in their view, it
would place unnecessary pressure on companies to make premature
determinations before they have sufficient information.\98\ Other
commenters stated that the instruction is too ambiguous for registrants
to ascertain whether they have complied with it.\99\ Conversely, one
commenter advised the Commission not to provide further guidance on the
meaning of ``as soon as reasonably practicable,'' explaining that doing
so would interfere with each registrant's individual assessment of what
is practicable given its specific context, resulting in pressure to
move more quickly than may be appropriate.\100\ Another commenter
likewise found that ``as soon as reasonably practicable'' is a
``reasonable approach'' that ``provides public companies with the
appropriate degree of flexibility to conduct a thorough assessment
while ensuring that the markets get timely and relevant information.''
\101\ One commenter recommended a safe harbor for actions and
determinations made in good faith to satisfy Instruction 1 that later
turn out to be mistaken.\102\
---------------------------------------------------------------------------
\98\ See letters from ABA; AGA/INGAA; Federated Hermes; ISA;
Paylocity; Quest; SCG.
\99\ See letter from Center for Audit Quality (``CAQ''); CSA;
Institute of Internal Auditors (``IIA''); LTSE; NYC Bar.
\100\ See letter from Cybersecurity Coalition.
\101\ See letter from NASAA.
\102\ See letter from Nasdaq.
---------------------------------------------------------------------------
In response to a request for comment in the Proposing Release,
several commenters recommended registrants be permitted to furnish
rather than file an Item 1.05 Form 8-K, so that filers of an Item 1.05
Form 8-K would not be subject to liability under Section 18 of the
Exchange Act.\103\ A significant number of commenters also endorsed the
proposal to amend 17 CFR 240.13a-
[[Page 51903]]
11(c) (``Rule 13a-11(c)'') and 17 CFR 240.15d-11(c) (``Rule 15d-
11(c)'') under the Exchange Act to include Item 1.05 in the list of
Form 8-K items eligible for a limited safe harbor from liability under
Section 10(b) or 17 CFR 240.10b-5 (``Rule 10b-5'') under the Exchange
Act.\104\ Likewise, the proposal to amend General Instruction I.A.3.(b)
of Form S-3 and General Instruction I.A.2 of Form SF-3 to provide that
an untimely filing on Form 8-K regarding new Item 1.05 would not result
in loss of Form S-3 or Form SF-3 eligibility received much
support.\105\
---------------------------------------------------------------------------
\103\ See letters from BPI et al.; Business Roundtable; Chevron;
CSA; EEI; LTSE; NAM; SCG.
\104\ See letters from ABA; APCIA; BIO; Business Roundtable;
Chevron; CTIA; Cybersecurity Coalition; Debevoise; EEI; LTSE; NYC
Bar; PWC; SCG.
\105\ See letters from ABA; APCIA; BIO; Business Roundtable;
Chevron; CTIA; Cybersecurity Coalition; Debevoise; EEI; LTSE; NYC
Bar; PWC; SCG.
---------------------------------------------------------------------------
Finally, a number of commenters averred that Item 1.05 would
conflict with other Federal and state cybersecurity reporting or other
regulatory regimes. For example, one commenter stated Item 1.05 would
counteract the goals of CIRCIA by requiring public disclosure of
information the act would keep confidential, and went on to assert that
CIRCIA was intended as the primary means for reporting incidents to the
Federal Government.\106\ Also related to CIRCIA, a number of commenters
urged harmonization of the Commission's proposal with forthcoming
regulations expected from CISA pursuant to CIRCIA.\107\ Several
commenters alleged Item 1.05 would conflict with rules the Department
of Health and Human Services (``HHS'') has adopted pursuant to the
Health Insurance Portability and Accountability Act (``HIPAA'')
regarding the reporting of private health information breaches.\108\ A
few commenters likewise said Item 1.05 would conflict with the
reporting regime set forth in Federal Communications Commission
(``FCC'') regulations for breaches of customer proprietary network
information.\109\ Conflicts were also alleged with regulations and
programs of the Department of Defense (``DOD''),\110\ Department of
Energy (``DOE''),\111\ and Department of Homeland Security
(``DHS'').\112\ Commenters called for harmonization of Item 1.05 with
regulations issued by Federal banking regulators,\113\ as well as with
regulations of the Federal Trade Commission (``FTC'').\114\ Some
commenters noted the potential interaction between the proposed rules
and state laws.\115\ One commenter noted the McCarran-Ferguson Act,
which provides that a state law preempts a Federal statute if the state
law was enacted for the purpose of regulating the business of insurance
and the Federal statute does not specifically relate to the business of
insurance.\116\
---------------------------------------------------------------------------
\106\ See letter from Sen. Portman.
\107\ See letters from ACC; ACLI; APCIA; BPI et al.; BIO;
Confidentiality Coalition; Chamber; CTA; CTIA; Cybersecurity
Coalition; EIC; FEI; FSSCC; Insurance Coalition (``IC''); ISA; ITI;
ITIF; Nareit; NAM; NRA; R Street; SCG; SIFMA; USTelecom.
\108\ See letters from Chamber; Confidentiality Coalition; FAH;
R Street.
\109\ See letters from Chamber; CTIA; USTelecom.
\110\ See letter from Chamber et al.
\111\ See letter from EEI.
\112\ See letter from ACC. This letter additionally alleged
conflicts with regulations of the Department of Energy,
Transportation Security Agency, Department of Defense, and
Environmental Protection Agency, but did not explain specifically
where those conflicts lie.
\113\ See letters from FSSCC; Structured Finance Association
(``SFA''); SIFMA.
\114\ See letters from BIO; CTIA.
\115\ See letters from IC (noting ``[a]n important issue will be
to ensure harmonized regulation between the federal government and
the several states with proposed or preexisting cybersecurity
regulations''); R Street (noting that state privacy laws ``mandate
reporting of incidents across very different timelines''); SIFMA
(noting that ``many state financial services and/or insurance
regulators already require regulated entities certify cybersecurity
compliance'').
\116\ See letter from IC.
---------------------------------------------------------------------------
3. Final Amendments
Having considered the comments, we remain convinced that investors
need timely, standardized disclosure regarding cybersecurity incidents
materially affecting registrants' businesses, and that the existing
regulatory landscape is not yielding consistent and informative
disclosure of cybersecurity incidents from registrants.\117\ However,
we are revising the proposal in two important respects in response to
concerns raised by commenters. First, we are narrowing the amount of
information required to be disclosed, to better balance investors'
needs and registrants' cybersecurity posture. And second, we are
providing for a delay for disclosures that would pose a substantial
risk to national security or public safety, contingent on a written
notification by the Attorney General, who may take into consideration
other Federal or other law enforcement agencies' findings.
---------------------------------------------------------------------------
\117\ As the Commission has previously stated, markets rely on
timely dissemination of information to accurately and quickly value
securities. Additional Form 8-K Disclosure Requirements and
Acceleration of Filing Date, Release No. 33-8400 (Mar. 16, 2004) [69
FR 15593 (Mar. 25, 2004)] (``Additional Form 8-K Disclosure
Release''). Congress recognized that the ongoing dissemination of
accurate information by issuers about themselves and their
securities is essential to the effective operation of the markets,
and specifically recognized the importance of current reporting in
this regard by requiring that ``[e]ach issuer reporting under
Section 13(a) or 15(d) . . . disclose to the public on a rapid and
current basis such additional information concerning material
changes in the financial condition or operations of the issuer . . .
as the Commission determines . . . is necessary or useful for the
protection of investors and in the public interest.'' 15 U.S.C.
78m(l).
---------------------------------------------------------------------------
As described above, commenters' criticisms of Item 1.05 generally
arose from two aspects of the proposal: (1) the scope of disclosure;
and (2) the timing of disclosure. With respect to disclosure scope, we
note in particular commenter concerns that the disclosure of certain
details required by proposed Item 1.05 could exacerbate security
threats, both for the registrants' systems and for systems in the same
industry or beyond, and could chill threat information sharing within
industries. We agree that a balancing of concerns consistent with our
statutory authority is necessary in crafting Item 1.05 to avoid
empowering threat actors with actionable information that could harm a
registrant and its investors. However, we are not persuaded, as some
commenters suggested,\118\ that we should forgo requiring disclosure of
the existence of an incident while it is ongoing to avoid risks, such
as the risk of tipping off threat actors. Some companies already
disclose material cybersecurity incidents while they are ongoing and
before they are fully remediated, but the timing, form, and substance
of those disclosures are inconsistent. Several commenters indicated
both that investors look for information regarding registrants'
cybersecurity incidents and that current disclosure levels are
inadequate to their needs in making investment decisions.\119\ In
addition, we note below in Section IV evidence showing that delayed
reporting of cybersecurity incidents can result in mispricing of
securities, and that such mispricing can be exploited by threat actors,
employees, related third parties, and others through trades made before
an incident becomes public.\120\ Accordingly, we believe it is
necessary to adopt a requirement for uniform current reporting of
material cybersecurity incidents.
---------------------------------------------------------------------------
\118\ See supra note 50.
\119\ See letters from Better Markets; CalPERS; CII.
\120\ See infra notes 413 and 462.
---------------------------------------------------------------------------
To that end, and to balance investors' needs with the concerns
raised by commenters, we are streamlining Item 1.05 to focus the
disclosure primarily on the impacts of a material cybersecurity
incident, rather than on requiring details regarding the incident
itself. The final rules will require the registrant to ``describe the
material aspects of the nature, scope, and timing of the
[[Page 51904]]
incident, and the material impact or reasonably likely material impact
on the registrant, including its financial condition and results of
operations.'' We believe this formulation more precisely focuses the
disclosure on what the company determines is the material impact of the
incident, which may vary from incident to incident. The rule's
inclusion of ``financial condition and results of operations'' is not
exclusive; companies should consider qualitative factors alongside
quantitative factors in assessing the material impact of an
incident.\121\ By way of illustration, harm to a company's reputation,
customer or vendor relationships, or competitiveness may be examples of
a material impact on the company. Similarly, the possibility of
litigation or regulatory investigations or actions, including
regulatory actions by state and Federal Governmental authorities and
non-U.S. authorities, may constitute a reasonably likely material
impact on the registrant.
---------------------------------------------------------------------------
\121\ See also Proposing Release at 16596 (stating that ``[a]
materiality analysis is not a mechanical exercise'' and not solely
quantitative, but rather should take into consideration ``all
relevant facts and circumstances surrounding the cybersecurity
incident, including both quantitative and qualitative factors'').
---------------------------------------------------------------------------
We are not adopting, as proposed, a requirement for disclosure
regarding the incident's remediation status, whether it is ongoing, and
whether data were compromised. While some incidents may still
necessitate, for example, discussion of data theft, asset loss,
intellectual property loss, reputational damage, or business value
loss, registrants will make those determinations as part of their
materiality analyses. Further, we are adding an Instruction 4 to Item
1.05 to provide that a ``registrant need not disclose specific or
technical information about its planned response to the incident or its
cybersecurity systems, related networks and devices, or potential
system vulnerabilities in such detail as would impede the registrant's
response or remediation of the incident.'' While the Commission
provided this assurance in the Proposing Release,\122\ we agree with
some commenters that codifying it in the Item 1.05 instructions should
provide added clarity to registrants on the type of disclosure required
by Item 1.05.
---------------------------------------------------------------------------
\122\ Id. at 16595.
---------------------------------------------------------------------------
With respect to commenters' questions concerning the application of
Item 1.05 to incidents occurring on third-party systems, we are not
exempting registrants from providing disclosures regarding
cybersecurity incidents on third-party systems they use, nor are we
providing a safe harbor for information disclosed about third-party
systems. While we appreciate the commenters' concerns about a
registrant's reduced control over such systems, we note the centrality
of the materiality determination: whether an incident is material is
not contingent on where the relevant electronic systems reside or who
owns them. In other words, we do not believe a reasonable investor
would view a significant breach of a registrant's data as immaterial
merely because the data were housed on a third-party system, especially
as companies increasingly rely on third-party cloud services that may
place their data out of their immediate control.\123\ Instead, as
discussed above, materiality turns on how a reasonable investor would
consider the incident's impact on the registrant.
---------------------------------------------------------------------------
\123\ See Deloitte, Global Third-Party Risk Management Survey
2022, at 15, available at <a href="https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-global-tprm-survey-report-2022.pdf">https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-global-tprm-survey-report-2022.pdf</a> (discussing results of a global survey of 1,309 ``senior
leaders from a variety of organizations'' indicating that ``73% of
respondents currently have a moderate to high level of dependence on
[cloud-service providers]'' and ``[t]hat is expected to increase to
88% in the years ahead'').
---------------------------------------------------------------------------
Depending on the circumstances of an incident that occurs on a
third-party system, disclosure may be required by both the service
provider and the customer, or by one but not the other, or by neither.
We appreciate that companies may have reduced visibility into third-
party systems; registrants should disclose based on the information
available to them. The final rules generally do not require that
registrants conduct additional inquiries outside of their regular
channels of communication with third-party service providers pursuant
to those contracts and in accordance with registrants' disclosure
controls and procedures. This is consistent with the Commission's
general rules regarding the disclosure of information that is difficult
to obtain.\124\
---------------------------------------------------------------------------
\124\ See 17 CFR 230.409 and 17 CFR 240.12b-21, which provide
that information need only be disclosed insofar as it is known or
reasonably available to the registrant. Accordingly, we are not
providing additional time to comply with Item 1.05 as it relates to
third-party incidents, as requested by some commenters.
---------------------------------------------------------------------------
Turning to disclosure timing, we believe that the modifications
from the proposed rules regarding the disclosures called for by Item
1.05 alleviate many of the concerns some commenters had regarding the
proposed disclosure deadline of four business days from the materiality
determination. Because the streamlined disclosure requirements we are
adopting are focused on an incident's basic identifying details and its
material impact or reasonably likely material impact, the registrant
should have the information required to be disclosed under this rule as
part of conducting the materiality determination. For example, most
organizations' materiality analyses will include consideration of the
financial impact of a cybersecurity incident, so information regarding
the incident's impact on the registrant's financial condition and
results of operations will likely have already been developed when Item
1.05 is triggered.\125\ Thus, we believe that the four business day
timeframe from the date of a materiality determination will be
workable.
---------------------------------------------------------------------------
\125\ To the extent any required information is not determined
or is unavailable at the time of the required filing, Instruction 2
to Item 1.05, as adopted, directs the registrant to include a
statement to this effect in the Form 8-K and then file a Form 8-K
amendment containing such information within four business days
after the registrant, without unreasonable delay, determines such
information or within four business days after such information
becomes available. See infra Section II.B.3.
---------------------------------------------------------------------------
The reformulation of Item 1.05 also addresses the concern among
commenters that the disclosure may be tentative and unclear, resulting
in false positives and mispricing in the market. In the majority of
cases, the registrant will likely be unable to determine materiality
the same day the incident is discovered. The registrant will develop
information after discovery until it is sufficient to facilitate a
materiality analysis.\126\ At that point, we believe investors are best
served knowing, within four business days after the materiality
determination, that the incident occurred and what led management to
conclude the incident is material. While it is possible that
occasionally there may be incidents that initially appear material but
developments after the filing of the Item 1.05 Form 8-K reveal to be
not material, the alternative of delaying disclosure beyond the four
business day period after a materiality determination has the potential
to lead to far more mispricing and will negatively impact investors
making investment and voting decisions without the benefit of knowing
that there is a material cybersecurity incident.
---------------------------------------------------------------------------
\126\ As discussed below, registrants should develop such
information without unreasonable delay.
---------------------------------------------------------------------------
Commenters posited an array of alternative deadlines for the Item
1.05 Form 8-K, as recounted above. We are not persuaded by commenters'
arguments that disclosure should be delayed until companies mitigate,
[[Page 51905]]
contain, remediate, or otherwise diminish the harm of the incident,
because, as discussed above, Item 1.05 does not require disclosure of
the types of details that have the potential to be exploited by threat
actors, but rather focuses on the incident's material impact or
reasonably likely material impact on the registrant. While there may
be, as commenters noted, some residual risk of the disclosure of an
incident's existence tipping off threat actors, such risk is justified,
in our view, by investors' need for timely information, and similar
risk already exists today with some companies' current cybersecurity
incident disclosure practices. We are also not persuaded that Item 1.05
is sufficiently different from other Form 8-K items such that deviating
from the form's four business day deadline following the relevant
trigger would be indicated. While some commenters argued that Item 1.05
is qualitatively different from all other Form 8-K filings in that its
trigger is largely outside the company's control, we disagree because
other Form 8-K items may also be triggered unexpectedly, such as Item
4.01 (Changes in Registrant's Certifying Accountants) and Item 5.02
(Departure of Directors or Principal Officers). And as compared to
those items, the information needed for Item 1.05 may be further along
in development when the filing is triggered, whereas, for example, a
company may have no advance warning that a principal officer is
departing.
With respect to the five business day deadline suggested by a few
commenters to allow registrants a full calendar week from the
materiality determination to the disclosure, we note that in the
majority of cases registrants will have had additional time leading up
to the materiality determination, such that disclosure becoming due
less than a week after discovery should be uncommon. More generally
with respect to the various alternative timing suggestions, we observe
that the Commission adopted the uniform four business day deadline in
2004 to simplify the previous bifurcated deadlines, and we find
commenters have not offered any compelling rationale to return to
bifurcated deadlines.\127\ Form 8-K provides for current reporting of
events that tend to be material to investor decision-making, and we see
no reason to render the reporting of Item 1.05 less current than other
Form 8-K items.
---------------------------------------------------------------------------
\127\ See Additional Form 8-K Disclosure Release. See also
Proposed Rule: Additional Form 8-K Disclosure Requirements and
Acceleration of Filing Date, Release No. 33-8106 (June 17, 2002) [67
FR 42914 (June 25, 2002)].
---------------------------------------------------------------------------
In the Proposing Release, the Commission requested comment on
whether to allow registrants to delay filing an Item 1.05 Form 8-K
where the Attorney General determines that a delay is in the interest
of national security.\128\ In response to comments, we are adopting a
delay provision in cases where disclosure poses a substantial risk to
national security or public safety. Pursuant to Item 1.05(c), a
registrant may delay making an Item 1.05 Form 8-K filing if the
Attorney General determines that the disclosure poses a substantial
risk to national security or public safety and notifies the Commission
of such determination in writing.\129\ Initially, disclosure may be
delayed for a time period specified by the Attorney General, up to 30
days following the date when the disclosure was otherwise required to
be provided. The delay may be extended for an additional period of up
to 30 days if the Attorney General determines that disclosure continues
to pose a substantial risk to national security or public safety and
notifies the Commission of such determination in writing.
---------------------------------------------------------------------------
\128\ Proposing Release at 16598.
\129\ We note that the delay provision we are adopting does not
relieve a company's obligations under Regulation FD or with respect
to the securities laws' antifraud prohibitions that proscribe
certain insider trading, including Exchange Act Section 10(b). Under
Regulation FD, material nonpublic information disclosed to any
investor, for example, through investor outreach activities, would
be required to be disclosed publicly, subject to limited exceptions.
See 17 CFR 243.100 et seq.
---------------------------------------------------------------------------
In extraordinary circumstances, disclosure may be delayed for a
final additional period of up to 60 days if the Attorney General
determines that disclosure continues to pose a substantial risk to
national security and notifies the Commission of such determination in
writing. We are providing for the final additional delay period in
recognition that, in extraordinary circumstances, national security
concerns may justify additional delay beyond that warranted by public
safety concerns, due to the relatively more critical nature of national
security concerns. Beyond the final 60-day delay, if the Attorney
General indicates that further delay is necessary, the Commission will
consider additional requests for delay and may grant such relief
through Commission exemptive order.\130\
---------------------------------------------------------------------------
\130\ Any exercise of exemptive authority in these circumstances
would need to meet all of the standards of Section 36 of the
Exchange Act. Furthermore, Item 1.05 of Form 8-K in no way limits
the Commission's general exemptive authority under Section 36.
---------------------------------------------------------------------------
We have consulted with the Department of Justice to establish an
interagency communication process to allow for the Attorney General's
determination to be communicated to the Commission in a timely manner.
The Department of Justice will notify the affected registrant that
communication to the Commission has been made, so that the registrant
may delay filing its Form 8-K.
We agree with commenters that a delay is appropriate for the
limited instances in which public disclosure of a cybersecurity
incident may cause harm to national security or public safety. The
final rules appropriately balance such security concerns against
investors' informational needs. In particular, the provision's
``substantial risk to national security or public safety'' bases are
sufficiently expansive to ensure that significant risks of harm from
disclosure may be protected against, while also ensuring that investors
are not denied timely access to material information.\131\ With respect
to commenters who recommended that other Federal agencies and non-
Federal law enforcement agencies also be permitted to trigger a delay
or who argued that other agencies may be the primary organization in
the Federal Government for the response, we note that the rule does not
preclude any such agency from requesting that the Attorney General
determine that the disclosure poses a substantial risk to national
security or public safety and communicate that determination to the
Commission. However, we believe that designating a single law
enforcement agency as the Commission's point of contact on such delays
is critical to ensuring that the rule is administrable.
---------------------------------------------------------------------------
\131\ The delay provision for substantial risk to national
security or public safety is separate from Exchange Act Rule 0-6,
which provides for the omission of information that has been
classified by an appropriate department or agency of the Federal
Government for the protection of the interest of national defense or
foreign policy. If the information a registrant would otherwise
disclose on an Item 1.05 Form 8-K or pursuant to Item 106 of
Regulation S-K or Item 16K of Form 20-F is classified, the
registrant should comply with Exchange Act Rule 0-6.
---------------------------------------------------------------------------
Turning to other timing-related issues raised by commenters, we are
not adopting commenters' suggestion to replace Item 1.05 with periodic
reporting of material cybersecurity incidents on Forms 10-Q and 10-K
because such an approach may result in significant variance as to when
investors learn of material cybersecurity incidents. Based on when an
incident occurs during a company's reporting
[[Page 51906]]
cycle, the timing between the materiality determination and reporting
on the next Form 10-Q or Form 10-K could vary from a matter of months
to a matter of weeks or less. For example, if two companies experience
a similar cybersecurity incident, but one determines the incident is
material early during a quarterly period and the other makes such
determination at the end of the quarterly period, commenters' suggested
approach would have both companies report the incident around the same
time despite the first company having determined the incident was
material weeks or months sooner, which would result in a significant
delay in this information being provided to investors. Such variance
would therefore reduce comparability across registrants and may put
certain registrants at a competitive disadvantage.
We also decline to use a quantifiable trigger for Item 1.05 because
some cybersecurity incidents may be material yet not cross a particular
financial threshold. We note above that the material impact of an
incident may encompass a range of harms, some quantitative and others
qualitative. A lack of quantifiable harm does not necessarily mean an
incident is not material. For example, an incident that results in
significant reputational harm to a registrant may not be readily
quantifiable and therefore may not cross a particular quantitative
threshold, but it should nonetheless be reported if the reputational
harm is material. Similarly, whereas a cybersecurity incident that
results in the theft of information may not be deemed material based on
quantitative financial measures alone, it may in fact be material given
the impact to the registrant that results from the scope or nature of
harm to individuals, customers, or others, and therefore may need to be
disclosed.
In another change from the proposal, and to respond to commenters'
concerns that the proposed ``as soon as reasonably practicable''
language in Instruction 1 could pressure companies to draw conclusions
about incidents with insufficient information, we are revising the
instruction to state that companies must make their materiality
determinations ``without unreasonable delay.'' As explained in the
Proposing Release, the instruction was intended to address any concern
that some registrants may delay making such a determination to avoid a
disclosure obligation.\132\ We understand commenter concerns that the
proposed instruction could result in undue pressure to make a
materiality determination before a registrant has sufficient
information to do so, and we recognize that a materiality determination
necessitates an informed and deliberative process. We believe the
revised language should alleviate this unintended consequence, while
providing registrants notice that, though the determination need not be
rushed prematurely, it also cannot be unreasonably delayed in an effort
to avoid timely disclosure. For example, for incidents that impact key
systems and information, such as those the company considers its
``crown jewels,'' \133\ as well as incidents involving unauthorized
access to or exfiltration of large quantities of particularly important
data, a company may not have complete information about the incident
but may know enough about the incident to determine whether the
incident was material. In other words, a company being unable to
determine the full extent of an incident because of the nature of the
incident or the company's systems, or otherwise the need for continued
investigation regarding the incident, should not delay the company from
determining materiality. Similarly, if the materiality determination is
to be made by a board committee, intentionally deferring the
committee's meeting on the materiality determination past the normal
time it takes to convene its members would constitute unreasonable
delay.\134\ As another example, if a company were to revise existing
incident response policies and procedures in order to support a delayed
materiality determination for or delayed disclosure of an ongoing
cybersecurity event, such as by extending the incident severity
assessment deadlines, changing the criteria that would require
reporting an incident to management or committees with responsibility
for public disclosures, or introducing other steps to delay the
determination or disclosure, that would constitute unreasonable delay.
In light of the revision to Instruction 1, we find that a safe harbor,
as suggested by some commenters, is unnecessary; adhering to normal
internal practices and disclosure controls and procedures will suffice
to demonstrate good faith compliance. Importantly, we remind
registrants, as the Commission did in the Proposing Release, that
``[d]oubts as to the critical nature'' of the relevant information
``will be commonplace'' and should ``be resolved in favor of those the
statute is designed to protect,'' namely investors.\135\
---------------------------------------------------------------------------
\132\ Proposing Release at 16596.
\133\ See National Cybersecurity Alliance, Identify Your ``Crown
Jewels'' (July 1, 2022), available at <a href="https://staysafeonline.org/cybersecurity-for-business/identify-your-crown-jewels/">https://staysafeonline.org/cybersecurity-for-business/identify-your-crown-jewels/</a> (explaining
that ``[c]rown jewels are the data without which your business would
have difficulty operating and/or the information that could be a
high-value target for cybercriminals'').
\134\ We note that Form 8-K Item 1.05 does not specify whether
the materiality determination should be performed by the board, a
board committee, or one or more officers. The company may establish
a policy tasking one or more persons to make the materiality
determination. Companies should seek to provide those tasked with
the materiality determination information sufficient to make
disclosure decisions.
\135\ Proposing Release at 16596 (quoting TSC Indus. v.
Northway, 426 U.S. at 448). The Court's opinion in TSC Indus. has a
nuanced discussion of the balance of considerations in setting a
materiality standard. 426 U.S. at 448-450.
---------------------------------------------------------------------------
Revised Instruction 1 should also reassure registrants that they
should continue sharing information with other companies or government
actors about emerging threats. Such information sharing may not
necessarily result in an Item 1.05 disclosure obligation. The
obligation to file the Item 1.05 disclosure is triggered once a company
has developed information regarding an incident sufficient to make a
materiality determination, and a decision to share information with
other companies or government actors does not in itself necessarily
constitute a determination of materiality. A registrant may alert
similarly situated companies as well as government actors immediately
after discovering an incident and before determining materiality, so
long as it does not unreasonably delay its internal processes for
determining materiality.
As proposed, we are adding Item 1.05 to the list of Form 8-K items
in General Instruction I.A.3.(b) of Form S-3, so that the untimely
filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3
eligibility.\136\ We note the significant support from commenters
regarding this proposal, and as noted in the Proposing Release,
continue to believe that the consequences of the loss of Form S-3
eligibility would be unduly severe given the circumstances that will
surround Item 1.05 disclosures. Likewise, as supported by many
commenters, we are adopting as proposed amendments to Rules 13a-11(c)
and 15d-11(c) under the Exchange Act to include new Item 1.05 in the
list of Form 8-K items eligible for a limited safe harbor from
liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
This accords with the view the Commission articulated in 2004 that the
safe harbor is appropriate if the triggering event for the Form 8-K
[[Page 51907]]
requires management to make a rapid materiality determination.\137\
---------------------------------------------------------------------------
\136\ Because of our decision to exempt asset-backed issuers
from the new rules (see infra Section II.G.1), we are not amending
Form SF-3.
\137\ Additional Form 8-K Disclosure Release at 15607.
---------------------------------------------------------------------------
We decline to permit registrants to furnish rather than file the
Item 1.05 Form 8-K, as suggested by some commenters. While we
understand commenters' points that reducing liability may ease the
burden on registrants, we believe that treating Item 1.05 disclosures
as filed will help promote the accuracy and reliability of such
disclosures for the benefit of investors. Of the existing Form 8-K
items, only Items 2.02 (Results of Operations and Financial Condition)
and 7.01 (Regulation FD Disclosure) are permitted to be furnished
rather than filed. The Commission created exceptions for those two
items to allay concerns that do not pertain here. Specifically, with
respect to Item 2.02, the Commission was motivated by concerns that
requiring the information to be filed would discourage registrants from
proactively issuing earnings releases and similar disclosures.\138\
Similarly, with respect to Item 7.01, the Commission decided to allow
the disclosure to be furnished to address concerns that, if required to
be filed, the disclosure could be construed as an admission of
materiality, which might lead some registrants to avoid making
proactive disclosure.\139\ By contrast, Item 1.05 is not a voluntary
disclosure, and it is by definition material because it is not
triggered until the registrant determines the materiality of an
incident. It is thus more akin to the Form 8-K items other than Items
2.02 and 7.01, in that it is a description of a material event that has
occurred about which investors need adequate information. Therefore,
the final rules require an Item 1.05 Form 8-K to be filed.
---------------------------------------------------------------------------
\138\ See Conditions for Use of Non-GAAP Financial Measures,
Release No. 33-8176 (Jan. 22, 2003) [68 FR 4819 (Jan. 30, 2003)].
\139\ See Selective Disclosure and Insider Trading, Release No.
33-7881 (Aug. 15, 2000) [65 FR 51715 (Aug. 24, 2000)].
---------------------------------------------------------------------------
We are not including a new rule to ban trading by insiders during
the materiality determination time period, as suggested by some
commenters. Those with a fiduciary duty or other relationship of trust
and confidence are already prohibited from trading while in possession
of material, nonpublic information.\140\ And because we are adopting
the four business days from materiality determination deadline, we
agree with the point raised by some commenters that the risk of insider
trading is low given the limited time period between experiencing a
material incident and public disclosure. We also note that we recently
adopted amendments to 17 CFR 240.10b5-1 (``Rule 10b5-1'') that added a
certification condition for directors and officers wishing to avail
themselves of the rule's affirmative defense; specifically, if relying
on the amended affirmative defense, directors and officers need to
certify in writing, at the time they adopt the trading plan, that they
are unaware of material nonpublic information about the issuer or its
securities, and are adopting the plan in good faith and not as part of
a plan or scheme to evade the insider trading prohibitions.\141\
Therefore, given the timing of the incident disclosure requirement as
well as the recently adopted amendments to Rule 10b5-1, we do not find
need for a new rule banning trading by insiders during the time period
between the materiality determination and disclosure.
---------------------------------------------------------------------------
\140\ United States v. O'Hagan, 521 U.S. 642 (1997).
\141\ See Insider Trading Arrangements and Related Disclosures,
Release No. 33-11138 (Dec. 14, 2022) [87 FR 80362 (Dec. 29, 2022)].
---------------------------------------------------------------------------
A number of commenters raised concerns about conflicts with other
Federal laws and regulations. Of the Federal laws and regulations that
we reviewed and commenters raised concerns with, we have identified one
conflict, with the FCC's notification rule for breaches of customer
proprietary network information (``CPNI'').\142\ Of the remaining
Federal laws and regulations noted by commenters as presenting
conflicts, our view is that Item 1.05 neither directly conflicts with
nor impedes the purposes of other such laws and regulations.
---------------------------------------------------------------------------
\142\ 47 CFR 64.2011. CPNI is defined in 47 CFR 222(h)(1) as:
``(A) information that relates to the quantity, technical
configuration, type, destination, location, and amount of use of a
telecommunications service subscribed to by any customer of a
telecommunications carrier, and that is made available to the
carrier by the customer solely by virtue of the carrier-customer
relationship; and (B) information contained in the bills pertaining
to telephone exchange service or telephone toll service received by
a customer of a carrier; except that such term does not include
subscriber list information.''
---------------------------------------------------------------------------
The FCC's rule for notification in the event of breaches of CPNI
requires covered entities to notify the United States Secret Service
(``USSS'') and the Federal Bureau of Investigation (``FBI'') no later
than seven business days after reasonable determination of a CPNI
breach, and further directs the entities to refrain from notifying
customers or disclosing the breach publicly until seven business days
have passed following the notification to the USSS and FBI.\143\ To
accommodate registrants who are subject to this rule and may as a
result face conflicting disclosure timelines,\144\ we are adding
paragraph (d) to Item 1.05 providing that such registrants may delay
making a Form 8-K disclosure up to the seven business day period
following notification to the USSS and FBI specified in the FCC
rule,\145\ with written notification to the Commission.\146\
---------------------------------------------------------------------------
\143\ We note that the FCC recently proposed amending its rule;
among other things, the proposal would eliminate the seven-business
day waiting period, potentially eliminating the conflict. Federal
Communications Commission, Data Breach Reporting Requirements, 88 FR
3953 (Jan. 23, 2023).
\144\ Commission staff consulted with FCC staff about a
potential delay provision to address any conflict between the FCC
rule and the Form 8-K reporting requirements.
\145\ The exception we are creating does not apply to 47 CFR
64.2011(b)(3), which provides that the USSS or FBI may direct the
entity to further delay notification to customers or public
disclosure beyond seven business days if such disclosure ``would
impede or compromise an ongoing or potential criminal investigation
or national security.'' If the USSS or FBI believes that disclosure
would result in a substantial risk to national security or public
safety, it may, as explained above, work with the Department of
Justice to seek a delay of disclosure.
\146\ Such notice should be provided through correspondence on
EDGAR no later than the date when the disclosure required by Item
1.05 was otherwise required to be provided.
---------------------------------------------------------------------------
We also considered the conflicts commenters alleged with CIRCIA.
Specifically, they stated that Item 1.05 is at odds with the goals of
CIRCIA, and that it may conflict with forthcoming regulations from
CISA. The confidential reporting system established by CIRCIA serves a
different purpose from Item 1.05 and through different means; the
former focuses on facilitating the Federal Government's preparation for
and rapid response to cybersecurity threats, while the latter focuses
on providing material information about public companies to investors
in a timely manner. While CISA has yet to propose regulations to
implement CIRCIA, given the statutory authority, text, and legislative
history of CIRCIA, it appears unlikely the regulations would affect the
balance of material information available to investors about public
companies, because the reporting regime CIRCIA establishes is
confidential.\147\ Nonetheless, the Commission participates in
interagency working groups on cybersecurity regulatory implementation,
and will continue to monitor developments in this area to determine if
modification to Item 1.05 becomes appropriate in light of future
developments.\148\
---------------------------------------------------------------------------
\147\ 6 U.S.C. 681e.
\148\ Should a conflict arise in the future with CISA
regulations or regulations of another Federal agency, the Commission
can address such conflict via rulemaking or other action at that
time.
---------------------------------------------------------------------------
We also considered the HIPAA-related conflict alleged by
commenters,
[[Page 51908]]
specifically with respect to HHS's rule on Notification in the Case of
Breach of Unsecured Protected Health Information. That rule provides,
in the event of a breach of unsecured protected health information, for
the covered entity to provide notification to affected individuals
``without unreasonable delay and in no case later than 60 calendar days
after discovery of a breach.'' \149\ If the breach involves more than
500 residents of a state or jurisdiction, the rule directs the covered
entity to also notify prominent media outlets within the same
timeframe.\150\ The rule further provides that if a company receives
written notice from ``a law enforcement official'' requesting a delay
and specifying the length of the delay, then the company ``shall . . .
delay such notification, notice, or posting for the time period
specified by the official.'' \151\
---------------------------------------------------------------------------
\149\ 45 CFR 164.404(b). The notification must describe the
breach, the types of unsecured protected health information
involved, steps the individuals should take to protect themselves,
what the entity is doing to mitigate harm and remediate, and where
the individuals can seek additional information. Id.
\150\ 45 CFR 164.406.
\151\ 45 CFR 164.412.
---------------------------------------------------------------------------
We do not view Form 8-K Item 1.05 as implicated by the HHS rule.
Importantly, the HHS rule's delay provision applies specifically to any
``notification, notice, or posting required under this subpart,'' or in
other words notice to affected individuals, media, and the Secretary of
HHS.\152\ Such notification focuses on the consequences of the breach
for the affected individuals; for example, individuals must be told
what types of protected health information were accessed, and what
steps they should take to protect themselves from harm.\153\ This is
different from the disclosure required by Item 1.05, which focuses on
the consequences for the company that are material to investors, and
whose timing is tied not to discovery but to a materiality
determination. The HHS rule does not expressly preclude the latter type
of public disclosure, or other potential communications companies
experiencing a breach may make. Therefore, we believe that a registrant
subject to the HHS rule will not face a conflict in complying with Item
1.05.\154\
---------------------------------------------------------------------------
\152\ Id.
\153\ 45 CFR 164.404(c).
\154\ For the same reason, the Federal Trade Commission's Health
Breach Notification rule, which is similar to HHS's rule, does not
present a conflict either. See 16 CFR part 318.
---------------------------------------------------------------------------
We also considered the conflicts commenters alleged with
regulations and programs of DOD, DOE, DHS, the Federal banking
regulatory agencies, state insurance laws, and miscellaneous other
Federal agencies or laws. We find that, while there may be some overlap
of subject matter, Item 1.05 neither conflicts with nor impedes the
purpose of those regulations and programs.\155\ We disagree with one
commenter's assertion that cybersecurity incident disclosure ``falls
squarely within the jurisdiction of state insurance commissioners'' as
state cybersecurity incident reporting regulations would not pertain to
the ``business of insurance'' as courts have interpreted the McCarran-
Ferguson Act, and the commenter did not note any particular state
insurance laws that would present a conflict.\156\ With respect to
Federal banking regulatory agencies specifically, we note that, in the
event they believe that the disclosure of a material cybersecurity
incident would threaten the health of the financial system in such a
way that results in a substantial risk to national security or public
safety, they may, as explained above, work with the Department of
Justice to seek to delay disclosure.
---------------------------------------------------------------------------
\155\ For example, one commenter alleged conflicts with DHS's
Chemical Facilities Anti-Terrorism Standards program (``CFATS'') and
with the Maritime Transportation Security Act (``MTSA''). See letter
from American Chemistry Council. Both CFATS and MTSA provide for the
protection of certain sensitive information, but neither is
implicated by cybersecurity incident disclosure to the Commission.
\156\ See, e.g., SEC v. National Sec., Inc., 393 U.S. 453
(1969).
---------------------------------------------------------------------------
It would not be practical to further harmonize Item 1.05 with other
agencies' cybersecurity incident reporting regulations, as one
commenter suggested,\157\ because Item 1.05 serves a different
purpose--it is focused on the needs of investors, rather than the needs
of regulatory agencies, affected individuals, or the like. With respect
to state insurance and privacy laws, commenters did not provide any
evidence sufficient to alter the Commission's finding in the Proposing
Release that, to the extent that Item 1.05 would require disclosure in
a situation where state law would excuse or delay notification, we
consider prompt reporting of material cybersecurity incidents to
investors critical to investor protection and well-functioning,
orderly, and efficient markets.
---------------------------------------------------------------------------
\157\ See letter from BIO.
---------------------------------------------------------------------------
B. Disclosures About Cybersecurity Incidents in Periodic Reports
1. Proposed Amendments
The Commission proposed to add new Item 106 to Regulation S-K to,
among other things, require updated cybersecurity disclosure in
periodic reports. If a registrant previously provided disclosure
regarding one or more cybersecurity incidents pursuant to Item 1.05 of
Form 8-K, proposed 17 CFR 229.106(d)(1) (Regulation S-K ``Item
106(d)(1)'') would require such registrant to disclose ``any material
changes, additions, or updates'' on the registrant's quarterly report
on Form 10-Q or annual report on Form 10-K.\158\ In addition, proposed
Item 106(d)(1) would require disclosure of the following information:
---------------------------------------------------------------------------
\158\ Proposing Release at 16598.
---------------------------------------------------------------------------
<bullet> Any material effect of the incident on the registrant's
operations and financial condition;
<bullet> Any potential material future impacts on the registrant's
operations and financial condition;
<bullet> Whether the registrant has remediated or is currently
remediating the incident; and
<bullet> Any changes in the registrant's policies and procedures as
a result of the cybersecurity incident, and how the incident may have
informed such changes.\159\
---------------------------------------------------------------------------
\159\ Id.
---------------------------------------------------------------------------
The Commission explained that it paired current reporting under
Item 1.05 of Form 8-K with periodic reporting under 17 CFR 229.106(d)
(Regulation S-K ``Item 106(d)'') to balance investors' need for timely
disclosure with their need for complete disclosure.\160\ When an Item
1.05 Form 8-K becomes due, the Commission noted, a registrant may not
possess complete information about the material cybersecurity incident.
Accordingly, under the proposed rules, a registrant would provide the
information known at the time of the Form 8-K filing and follow up in
its periodic reports with more complete information as it becomes
available, along with any updates to previously disclosed information.
---------------------------------------------------------------------------
\160\ Id.
---------------------------------------------------------------------------
The Commission also proposed 17 CFR 229.106(d)(2) (Regulation S-K
``Item 106(d)(2)'') to require disclosure in a registrant's next
periodic report when, to the extent known to management, a series of
previously undisclosed individually immaterial cybersecurity incidents
become material in the aggregate.\161\ The Proposing Release explained
that this requirement may be triggered where, for example, a threat
actor engages in a number of smaller but continuous related
cyberattacks against the same company and collectively they become
material.\162\ Item 106(d)(2) would require disclosure of essentially
the
[[Page 51909]]
same information required in proposed Item 1.05 of Form 8-K, as
follows:
---------------------------------------------------------------------------
\161\ Id. at 16599.
\162\ Id.
---------------------------------------------------------------------------
<bullet> A general description of when the incidents were
discovered and whether they are ongoing;
<bullet> A brief description of the nature and scope of the
incidents;
<bullet> Whether any data were stolen or altered in connection with
the incidents;
<bullet> The effect of the incidents on the registrant's
operations; and
<bullet> Whether the registrant has remediated or is currently
remediating the incidents.\163\
---------------------------------------------------------------------------
\163\ Id. at 16619-16620.
---------------------------------------------------------------------------
2. Comments
Reaction among commenters to proposed Item 106(d)(1) was mixed.
Some wrote in support, noting that updated incident disclosure is
needed to avoid previously disclosed information becoming stale and
misleading as more information becomes available, and saying that
updates help investors assess the efficacy of companies' cybersecurity
procedures.\164\ Others took issue with specific aspects of the
proposed rule. For example, some commenters stated that the proposed
requirement to disclose ``any potential material future impacts'' is
vague and difficult to apply, and urged removing or revising it.\165\
Similarly, other commenters said that registrants should not be
required to describe progress on remediation, noting that such
information could open them up to more attacks.\166\ In the same vein,
one commenter suggested that no updates be required until remediation
is sufficiently complete.\167\ One commenter said the requirement to
disclose changes in policies and procedures is unnecessary and overly
broad,\168\ and another commenter said the requirement should be
narrowed to ``material changes.'' \169\
---------------------------------------------------------------------------
\164\ See letters from AICPA; Crindata; R Street. See also IAC
Recommendation.
\165\ See letters from EEI; Prof. Perullo; PWC; SCG.
\166\ See letters from BCE; BPI et al.; Enbridge. See also
letter from EEI (suggesting narrowing the rule to ``material
remediation,'' and delaying such disclosure until remediation is
complete).
\167\ See letter from EEI.
\168\ See letter from Prof. Perullo.
\169\ See letter from EEI.
---------------------------------------------------------------------------
More generally, commenters sought clarification on how to
differentiate instances where updates should be included in periodic
reports from instances where updates should be filed on Form 8-K; they
found the guidance in the Proposing Release on this point ``unclear.''
\170\ And one commenter argued that, regardless of where the update is
filed, the incremental availability of information would make it
difficult for companies to determine when the update requirement is
triggered.\171\
---------------------------------------------------------------------------
\170\ See letter from PWC; accord letter from Deloitte. The
Proposing Release stated: ``Notwithstanding proposed Item 106(d)(1),
there may be situations where a registrant would need to file an
amended Form 8-K to correct disclosure from the initial Item 1.05
Form 8-K, such as where that disclosure becomes inaccurate or
materially misleading as a result of subsequent developments
regarding the incident. For example, if the impact of the incident
is determined after the initial Item 1.05 Form 8-K filing to be
significantly more severe than previously disclosed, an amended Form
8-K may be required.'' Proposing Release at 16598.
\171\ See letter from Quest.
---------------------------------------------------------------------------
With respect to proposed Item 106(d)(2), a large number of
commenters expressed concern about the aggregation requirement, saying,
for example, that companies experience too many events to realistically
communicate internally upward to senior management, and that retaining
and analyzing data on past events would be too costly.\172\ A number of
other commenters relatedly said that, for the aggregation requirement
to be workable, companies need more guidance on the nature, timeframe,
and breadth of incidents that should be collated.\173\ In this regard,
one supporter of the requirement explained in its request for
additional guidance that ``cybersecurity incidents are so unfortunately
common that a strict reading of this section could cause overreporting
to the point that it is meaningless for shareholders.'' \174\
---------------------------------------------------------------------------
\172\ See letters from ABA; ACLI; AIA; Business Roundtable; EEI;
Enbridge; Ernst & Young LLP (``E&Y''); FAH; FedEx; Center on Cyber
and Technology Innovation at the Foundation for Defense of
Democracies (``FDD''); GPA; Hunton; ITI; ISA; LTSE; Microsoft;
Nareit; NAM; NDIA; NRA; Prof. Perullo; SCG; SIFMA.
\173\ See letters from ACC; APCIA; BDO USA, LLP (``BDO''); BPI
et al.; CAQ; Chamber; Chevron; Deloitte; EIC; FEI; M. Barragan; PWC;
R Street.; TransUnion.
\174\ See letter from R Street.
---------------------------------------------------------------------------
Some commenters suggested revising the rule to cover only
``related'' incidents.\175\ Possible definitions offered for
``related'' incidents included those ``performed by the same malicious
actor or that exploited the same vulnerability,'' \176\ and those
resulting from ``attacks on the same systems, processes or controls of
a registrant over a specified period of time.'' \177\ Suggestions for
limiting the time period over which aggregation should occur included
the preceding one year,\178\ and the preceding two years.\179\ One
commenter requested the Commission clarify that a company's Item
106(d)(2) disclosure need describe only the aggregate material impact
of the incidents, rather than describing each incident individually;
the commenter was concerned with threat actors becoming informed of a
company's vulnerabilities through overly detailed disclosure.\180\
Another commenter suggested granting registrants additional time to
come into compliance with Item 106(d)(2) after Commission adoption, so
that they can develop system functionality to retain details about
immaterial incidents.\181\
---------------------------------------------------------------------------
\175\ See letters from ABA; APCIA; EEI; E&Y; PWC.
\176\ See letter from ABA.
\177\ See letter from E&Y.
\178\ See letter from APCIA.
\179\ See letter from EEI.
\180\ See letter from AGA/INGAA.
\181\ See letter from Deloitte.
---------------------------------------------------------------------------
Commenters also wrote in support of the aggregation
requirement.\182\ One of these commenters stated that aggregation is
needed especially where an advanced persistent threat actor \183\ seeks
to exfiltrate data or intellectual property over time.\184\
---------------------------------------------------------------------------
\182\ See letters from CII; CSA; R Street; NASAA.
\183\ The National Institute of Standards and Technology
explains that an advanced persistent threat ``is an adversary or
adversarial group that possesses the expertise and resources that
allow it to create opportunities to achieve its objectives by using
multiple attack vectors, including cyber, physical, and deception.
The APT objectives include establishing a foothold within the
infrastructure of targeted organizations for purposes of
exfiltrating information; undermining or impeding critical aspects
of a mission, function, program, or organization; or positioning
itself to carry out these objectives in the future. The APT pursues
its objectives repeatedly over an extended period, adapts to
defenders' efforts to resist it, and is determined to maintain the
level of interaction needed to execute its objectives.'' National
Institute of Standards and Technology, NIST Special Publication 800-
172, Enhanced Security Requirements for Protecting Controlled
Unclassified Information (Feb. 2021), at 2.
\184\ See letter from CSA.
---------------------------------------------------------------------------
3. Final Amendments
In response to comments, we are not adopting proposed Item
106(d)(1) and instead are adopting a new instruction to clarify that
updated incident disclosure must be provided in a Form 8-K amendment.
Specifically, we are revising proposed Instruction 2 to Item 1.05 of
Form 8-K to direct the registrant to include in its Item 1.05 Form 8-K
a statement identifying any information called for in Item 1.05(a) that
is not determined or is unavailable at the time of the required filing
and then file an amendment to its Form 8-K containing such information
within four business days after the registrant, without unreasonable
delay, determines such information or within four business days after
such information becomes available. This change mitigates commenters'
concerns with Item 106(d)(1). In particular, under the final rules,
companies will not have to distinguish whether information
[[Page 51910]]
regarding a material cybersecurity incident that was not determined or
was unavailable at the time of the initial Form 8-K filing should be
included on current reports or periodic reports, as the reporting would
be in an amended Form 8-K; details that commenters suggested raised
security concerns, such as remediation status, are not required; and
concerns that the proposed rule was vague or overbroad have been
addressed by narrowing the required disclosure to the information
required by Item 1.05(a). We also believe that use of a Form 8-K
amendment rather than a periodic report will allow investors to more
quickly identify updates regarding incidents that previously were
disclosed.
We appreciate that new information on a reported cybersecurity
incident may surface only in pieces; the final rules, however, do not
require updated reporting for all new information. Rather, Instruction
2 to Item 1.05 directs companies to file an amended Form 8-K with
respect to any information called for in Item 1.05(a) that was not
determined or was unavailable at the time of the initial Form 8-K
filing. Other than with respect to such previously undetermined or
unavailable information, the final rules do not separately create or
otherwise affect a registrant's duty to update its prior statements. We
remind registrants, however, that they may have a duty to correct prior
disclosure that the registrant determines was untrue (or omitted a
material fact necessary to make the disclosure not misleading) at the
time it was made \185\ (for example, if the registrant subsequently
discovers contradictory information that existed at the time of the
initial disclosure), or a duty to update disclosure that becomes
materially inaccurate after it is made \186\ (for example, when the
original statement is still being relied on by reasonable investors).
Registrants should consider whether they need to revisit or refresh
previous disclosure, including during the process of investigating a
cybersecurity incident.\187\
---------------------------------------------------------------------------
\185\ See Backman v. Polaroid Corp., 910 F.2d 10, 16-17 (1st
Cir. 1990) (en banc) (finding that the duty to correct applies ``if
a disclosure is in fact misleading when made, and the speaker
thereafter learns of this'').
\186\ See id. at 17 (describing the duty to update as
potentially applying ``if a prior disclosure `becomes materially
misleading in light of subsequent events''' (quoting Greenfield v.
Heublein, Inc., 742 F.2d 751, 758 (3d Cir. 1984))). But see
Higginbotham v. Baxter Intern., Inc., 495 F.3d 753, 760 (7th Cir.
2007) (rejecting duty to update before next quarterly report);
Gallagher v. Abbott Laboratories, 269 F.3d 806, 808-11 (7th Cir.
2001) (explaining that securities laws do not require continuous
disclosure).
\187\ Relatedly, registrants should be aware of the requirement
under Item 106(b)(2) of Regulation S-K to describe ``[w]hether any
risks from cybersecurity threats, including as a result of any
previous cybersecurity incidents, have materially affected or are
reasonably likely to materially affect the registrant'' (emphasis
added). See infra Section II.C.1.c.
---------------------------------------------------------------------------
We are not adopting proposed Item 106(d)(2), in response to
concerns that the proposed aggregation requirement was vague or
difficult to apply. We are persuaded by commenters that the proposed
requirement might be difficult to differentiate from Item 1.05
disclosure, or by contrast, could result in the need for extensive
internal controls and procedures to monitor all immaterial events to
determine whether they have become collectively material. The intent of
the proposed requirement was to capture the material impacts of related
incidents, and prevent the avoidance of incident disclosure through
disaggregation of such related events. However, upon further
reflection, and after review of comments, we believe that the proposed
requirement is not necessary based on the scope of Item 1.05.
To that end, we emphasize that the term ``cybersecurity incident''
as used in the final rules is to be construed broadly, as the
Commission stated in the Proposing Release.\188\ The definition of
``cybersecurity incident'' we are adopting extends to ``a series of
related unauthorized occurrences.'' \189\ This reflects that
cyberattacks sometimes compound over time, rather than present as a
discrete event. Accordingly, when a company finds that it has been
materially affected by what may appear as a series of related cyber
intrusions, Item 1.05 may be triggered even if the material impact or
reasonably likely material impact could be parceled among the multiple
intrusions to render each by itself immaterial. One example was
provided in the Proposing Release: the same malicious actor engages in
a number of smaller but continuous cyberattacks related in time and
form against the same company and collectively, they are either
quantitatively or qualitatively material.\190\ Another example is a
series of related attacks from multiple actors exploiting the same
vulnerability and collectively impeding the company's business
materially.
---------------------------------------------------------------------------
\188\ Proposing Release at 16601.
\189\ See infra Section II.C.3.
\190\ Proposing Release at 16599.
---------------------------------------------------------------------------
C. Disclosure of a Registrant's Risk Management, Strategy and
Governance Regarding Cybersecurity Risks
1. Risk Management and Strategy
a. Proposed Amendments
The Commission proposed to add 17 CFR 229.106(b) (Regulation S-K
``Item 106(b)'') to require registrants to provide more consistent and
informative disclosure regarding their cybersecurity risk management
and strategy in their annual reports. The Commission noted the Division
of Corporation Finance staff's experience that most registrants
disclosing a cybersecurity incident do not describe their cybersecurity
risk oversight or any related policies and procedures, even though
companies typically address significant risks by developing risk
management systems that often include written policies and
procedures.\191\
---------------------------------------------------------------------------
\191\ Id.
---------------------------------------------------------------------------
Proposed Item 106(b) would require a description of the
registrant's policies and procedures, if any, for the identification
and management of cybersecurity threats, including, but not limited to:
operational risk (i.e., disruption of business operations);
intellectual property theft; fraud; extortion; harm to employees or
customers; violation of privacy laws and other litigation and legal
risk; and reputational risk. As proposed, registrants would be required
to include a discussion, as applicable, of:
<bullet> Whether the registrant has a cybersecurity risk assessment
program and if so, a description of the program ((b)(1));
<bullet> Whether the registrant engages assessors, consultants,
auditors, or other third parties in connection with any cybersecurity
risk assessment program ((b)(2));
<bullet> Whether the registrant has policies and procedures to
oversee, identify, and mitigate the cybersecurity risks associated with
its use of any third-party service provider (including, but not limited
to, those providers that have access to the registrant's customer and
employee data), including whether and how cybersecurity considerations
affect the selection and oversight of these providers and contractual
and other mechanisms the company uses to mitigate cybersecurity risks
related to these providers ((b)(3));
<bullet> Whether the registrant undertakes activities to prevent,
detect, and minimize effects of cybersecurity incidents ((b)(4));
<bullet> Whether the registrant has business continuity,
contingency, and recovery
[[Page 51911]]
plans in the event of a cybersecurity incident ((b)(5));
<bullet> Whether previous cybersecurity incidents have informed
changes in the registrant's governance, policies and procedures, or
technologies ((b)(6));
<bullet> Whether cybersecurity related risk and incidents have
affected or are reasonably likely to affect the registrant's results of
operations or financial condition and if so, how ((b)(7)); and
<bullet> Whether cybersecurity risks are considered as part of the
registrant's business strategy, financial planning, and capital
allocation and if so, how ((b)(8)).\192\
---------------------------------------------------------------------------
\192\ Id. at 16599-16600.
---------------------------------------------------------------------------
The Commission anticipated that proposed Item 106(b) would benefit
investors by requiring more consistent disclosure of registrants'
strategies and actions to manage cybersecurity risks.\193\ Such risks,
the Commission observed, can affect registrants' business strategy,
financial outlook, and financial planning, as companies increasingly
rely on information technology, collection of data, and use of digital
payments as critical components of their businesses.\194\
---------------------------------------------------------------------------
\193\ Id. at 16599.
\194\ Id.
---------------------------------------------------------------------------
The Commission noted that the significant number of cybersecurity
incidents pertaining to third-party service providers prompted the
proposal to require disclosure of registrants' selection and oversight
of third-party entities.\195\ The Commission also proposed requiring
discussion of how prior cybersecurity incidents have affected or are
reasonably likely to affect the registrant, because such disclosure
would equip investors to better comprehend the level of cybersecurity
risk the company faces and assess the company's preparedness regarding
such risk.\196\
---------------------------------------------------------------------------
\195\ Id.
\196\ Id.
---------------------------------------------------------------------------
b. Comments
Many commenters supported proposed Item 106(b) for requiring
information that is vital to investors as they assess companies' risk
profiles and make investment decisions.\197\ One said cybersecurity
disclosures now are ``scattered and unpredictable'' rather than
``uniform,'' which ``diminishes their effectiveness.'' \198\ Similarly,
another found that current disclosures ``do not provide investors with
the information necessary to evaluate whether companies have adequate
governance structures and measures in place to deal with cybersecurity
challenges.'' \199\ The IAC recommended extending the proposed Item
106(b) disclosure requirements (as well as the proposed Item 106(c)
disclosure requirements) to registration statements, stating that
``pre-IPO companies may face heightened [cybersecurity] risks.'' \200\
---------------------------------------------------------------------------
\197\ See letters of AICPA; <a href="http://BuildingCyberSecurity.org">BuildingCyberSecurity.org</a> (``BCS'');
Better Markets; Bitsight; Blue Lava, Inc. (``Blue Lava''); CalPERS;
ITIF; National Association of Corporate Directors (``NACD''); NASAA;
PWC; PRI; R Street; SecurityScorecard; Tenable Holdings Inc.
(``Tenable''). See also IAC Recommendation.
\198\ See letter from Better Markets.
\199\ See letter from PRI.
\200\ See IAC Recommendation.
---------------------------------------------------------------------------
By contrast, a number of commenters opposed proposed Item 106(b).
In particular, they commented that much of the proposed Item 106(b)
disclosure could increase a company's vulnerability to cyberattacks;
they expressed particular concern regarding the potential harms from
disclosures about whether cybersecurity policies are in place, incident
response processes and techniques, previous incidents and what changes
they spurred, and third-party service providers.\201\ Another criticism
was that proposed Item 106(b) would effectively force companies to
model their cybersecurity policies on the rule's disclosure elements,
rather than the practices best suited to each company's context.\202\
One commenter saw proposed Item 106(b) as counteracting the
streamlining accomplished in the Commission's 2020 release modernizing
Regulation S-K.\203\
---------------------------------------------------------------------------
\201\ See letters from ABA; ACLI; APCIA; BIO; BPI et al.;
Business Roundtable; Chamber; CSA; CTIA; EIC; Enbridge; FAH;
Federated Hermes; GPA; ITI; ISA; Nareit; NAM; NMHC; NRA; National
Retail Federation (``NRF''); SIFMA; Sen. Portman; TechNet;
TransUnion; USTelecom; Virtu.
\202\ See letters from BPI et al.; Chamber; EIC; Nareit; NRF;
NYSE; SCG; SIFMA; Virtu.
\203\ See letter from Nasdaq (citing Modernization of Regulation
S-K Items 101, 103, and 105, Release No. 33-10825 (Aug. 26, 2020)
[85 FR 63726 (Oct. 8, 2020)]).
---------------------------------------------------------------------------
Some commenters offered suggestions to narrow proposed Item 106(b)
to address their concerns. On proposed paragraph (b)(1), one commenter
recommended allowing a registrant to forgo describing its risk
assessment program if it confirms that it ``uses best practices and
standards'' to identify and protect against cybersecurity risks and
detect and respond to such events.\204\ On proposed paragraph (b)(3), a
few commenters said that registrants should be required to disclose
only high-level information relating to third parties, such as
confirmation that policies and procedures are appropriately applied to
third-party selection and oversight, and should not have to identify
the third parties or discuss the underlying mechanisms, controls, and
contractual requirements.\205\
---------------------------------------------------------------------------
\204\ See letter from Cybersecurity Coalition.
\205\ See letters from BPI et al.; Chamber; SIFMA. Other
commenters supported the level of detail required in (b)(3). See
letters from AICPA; PRI.
---------------------------------------------------------------------------
Some commenters opposed proposed paragraph (b)(6)'s requirement to
discuss whether ``previous cybersecurity incidents informed changes in
the registrant's governance, policies and procedures, or technologies''
entirely, stating it would undermine a registrant's cybersecurity.\206\
One commenter recommended the proposed (b)(6) disclosure be required
only at a high level, without specific details,\207\ while two
commenters appeared to propose only requiring disclosure as it pertains
to previous material incidents.\208\ Commenters suggested a materiality
filter for proposed paragraph (b)(7)'s requirement to discuss whether
``cybersecurity-related risks and previous cybersecurity-related
incidents have affected or are reasonably likely to affect the
registrant's strategy, business model, results of operations, or
financial condition and if so, how,'' so that the requirement would
apply only where a registrant has been materially affected or is
reasonably likely to be materially affected.\209\
---------------------------------------------------------------------------
\206\ See letters from ITI; SCG; Tenable.
\207\ See letter from Cybersecurity Coalition.
\208\ See letters from AGA/INGA; American Public Gas Association
(``APGA'').
\209\ See letter from PWC.
---------------------------------------------------------------------------
More broadly, one commenter recommended replacing the rule's
references to ``policies and procedures'' with ``strategy and
programs,'' because in the commenter's experience companies may not
codify their cybersecurity strategy in the same way they codify other
compliance policies and procedures.\210\ One commenter also suggested
offering companies the choice to place the proposed Item 106(b)
disclosures in either the Form 10-K or the proxy statement.\211\
---------------------------------------------------------------------------
\210\ See letter from Prof. Perullo.
\211\ See letter from Nasdaq.
---------------------------------------------------------------------------
Several commenters supported requiring registrants that lack
cybersecurity policies and procedures to explicitly say so, commenting,
for example, that ``investors should not be left to intuit the meaning
of a company's silence in its disclosures.'' \212\ One
[[Page 51912]]
commenter further stated that registrants should be required to explain
why they have not adopted cybersecurity policies and procedures.\213\
By contrast, two commenters opposed requiring registrants that lack
cybersecurity policies and procedures to explicitly say so,\214\ with
one commenter saying that ``a threat actor may target registrants they
perceive to have unsophisticated cybersecurity programs,'' \215\ and
the other commenter saying ``it is highly unlikely that any SEC
registrants would not have `established any cybersecurity policies and
procedures.'' \216\
---------------------------------------------------------------------------
\212\ See letters from Blue Lava; CSA; Cybersecurity Coalition;
ITI; NASAA; Prof. Perullo; Tenable. The quoted language is from
NASAA's letter. See also IAC Recommendation (recommending ``that
issuers that have not developed any cybersecurity policies or
procedures be required to make a statement to that effect'' because
``the vast majority of investors . . . would view the complete
absence of cybersecurity risk governance as overwhelmingly material
to investment decision-making'').
\213\ See letter from NASAA.
\214\ See letters from EIC; IIA.
\215\ See letter from EIC.
\216\ See letter from IIA.
---------------------------------------------------------------------------
In response to the Commission's request for comment about whether
to require a registrant to specify whether any cybersecurity assessor,
consultant, auditor, or other service provider that it relies on is
through an internal function or through an external third-party service
provider, several commenters opposed the idea as not useful, with one
saying that ``a significant majority--possibly the entirety--of SEC
registrants'' rely on third-party service providers for some portion of
their cybersecurity.\217\ Conversely, another commenter supported the
third-party specification, and suggested requiring registrants to name
the third parties, as over time, this would create more transparency in
whether breaches correlate with specific third parties.\218\
---------------------------------------------------------------------------
\217\ See letters from BCS; Chevron; EIC; IIA; Prof. Perullo.
The quoted language is from the letter of IIA.
\218\ See letter from Blue Lava.
---------------------------------------------------------------------------
Commenters also offered a range of recommended additions to the
rule. One commenter recommended modifying proposed paragraph (b)(1) to
require registrants to specify whether their cybersecurity programs
assess risks continuously or periodically, arguing the latter approach
leaves companies more exposed.\219\ The same commenter suggested
paragraph (b)(2) require ``a description of the class of services and
solutions'' provided by third parties.\220\
---------------------------------------------------------------------------
\219\ See letter from Tenable.
\220\ Id.
---------------------------------------------------------------------------
A few commenters recommended that we direct registrants to quantify
their cybersecurity risk exposure through independent risk
assessments.\221\ Similarly, one commenter urged us to require
registrants to explain how they quantify their cybersecurity risk,\222\
while another said we should set out quantifiable metrics against which
companies measure their cybersecurity systems, though it did not
specify what these metrics should be.\223\ Two commenters suggested
that we require companies to disclose whether their cybersecurity
programs have been audited by a third party.\224\ And one commenter
recommended that we require registrants to disclose whether they use
the cybersecurity framework of the National Institute of Standards and
Technology (``NIST''), to ease comparison of registrant risk
profiles.\225\
---------------------------------------------------------------------------
\221\ See letters from BitSight; Kovrr Risk Modeling Ltd.;
SecurityScorecard.
\222\ See letter from Safe Security.
\223\ See letter from FDD.
\224\ See letters from BCS; Better Markets.
\225\ See letter from SandboxAQ. This commenter also recommended
registrants be required to disclose whether they use post-quantum
cryptography as part of their risk mitigation efforts.
---------------------------------------------------------------------------
c. Final Amendments
We continue to believe that investors need information on
registrants' cybersecurity risk management and strategy, and that
uniform, comparable, easy to locate disclosure will not emerge absent
new rules. Commenters raised concerns with proposed Item 106(b)'s
security implications and what they saw as its prescriptiveness. We
agree that extensive public disclosure on how a company plans for,
defends against, and responds to cyberattacks has the potential to
advantage threat actors. Similarly, we acknowledge commenters' concerns
that the final rule could unintentionally affect a registrant's risk
management and strategy decision-making. In response to those comments,
we confirm that the purpose of the rules is, and was at proposal, to
inform investors, not to influence whether and how companies manage
their cybersecurity risk. Additionally, to respond to commenters'
concerns about security, the final rules eliminate or narrow certain
elements from proposed Item 106(b). We believe the resulting rule
requires disclosure of information material to the investment decisions
of investors, in a way that is comparable and easy to locate, while
steering clear of security sensitive details.
As adopted, 17 CFR 229.106(b)(1) (Regulation S-K ``Item
106(b)(1)'') requires a description of ``the registrant's processes, if
any, for assessing, identifying, and managing material risks from
cybersecurity threats in sufficient detail for a reasonable investor to
understand those processes.'' We believe this revised formulation of
the rule should help avoid levels of detail that may go beyond
information that is material to investors and address commenters'
concerns that those details could increase a company's vulnerability to
cyberattack. We have also substituted the term ``processes'' for the
proposed ``policies and procedures'' to avoid requiring disclosure of
the kinds of operational details that could be weaponized by threat
actors, and because the term ``processes'' more fully compasses
registrants' cybersecurity practices than ``policies and procedures,''
which suggest formal codification.\226\ We still expect the disclosure
to allow investors to ascertain a registrant's cybersecurity practices,
such as whether they have a risk assessment program in place, with
sufficient detail for investors to understand the registrant's
cybersecurity risk profile. The shift to ``processes'' also obviates
the question of whether to require companies that do not have written
policies and procedures to disclose that fact. We believe that, to the
extent a company discloses that it faces a material cybersecurity risk
in connection with its overall disclosures of material risks,\227\ an
investor can ascertain whether such risks have resulted in the adoption
of processes to assess, identify, and manage material cybersecurity
risks based on whether the company also makes such disclosures under
the final rules.
---------------------------------------------------------------------------
\226\ See letter from Prof. Perullo (distinguishing the
formality of ``policies and procedures'' from the informality of
``strategy or program''). We have adopted ``processes'' in place of
the commenter's suggestion of ``strategy or program'' because
``processes'' is broader and commonly understood. We decline the
suggestion from another commenter to allow registrants to avoid this
disclosure altogether by confirming they adhere to ``best practices
and standards,'' because there is no single set of widely accepted
best practices and standards, and industry practices may evolve. See
letter from Cybersecurity Coalition.
\227\ See Item 105 of Regulation S-K.
---------------------------------------------------------------------------
We have also added a materiality qualifier to the proposed
requirement to disclose ``risks from cybersecurity threats,'' and have
removed the proposed list of risk types (i.e., ``intellectual property
theft; fraud; extortion; harm to employees or customers; violation of
privacy laws and other litigation and legal risk; and reputational
risk''), to foreclose any perception that the rule prescribes
cybersecurity policy. We continue to believe these are the types of
risks that registrants may face in this context, and enumerate them
here as guidance. We note that registrants will continue to tailor
their cybersecurity processes to threats as they perceive them. The
rule requires registrants to describe those processes insofar as they
relate to material cybersecurity risks.
We have also revised Item 106(b)'s enumerated disclosure elements
in
[[Page 51913]]
response to commenters that raised concerns regarding the level of
detail required by some elements of the proposal. Specifically, we are
not adopting proposed paragraphs (4) (prevention and detection
activities), (5) (continuity and recovery plans), and (6) (previous
incidents). We have similarly revised proposed paragraph (3) to
eliminate some of the detail it required, consistent with commenter
suggestions to require only high-level disclosure regarding third-party
service providers. The enumerated elements that a registrant should
address in its Item 106(b) disclosure, as applicable, are:
<bullet> Whether and how the described cybersecurity processes in
Item 106(b) have been integrated into the registrant's overall risk
management system or processes;
<bullet> Whether the registrant engages assessors, consultants,
auditors, or other third parties in connection with any such processes;
and
<bullet> Whether the registrant has processes to oversee and
identify material risks from cybersecurity threats associated with its
use of any third-party service provider.
We have also revised the rule text to clarify that the above
elements compose a non-exclusive list of disclosures; registrants
should additionally disclose whatever information is necessary, based
on their facts and circumstances, for a reasonable investor to
understand their cybersecurity processes.
We have moved proposed paragraph (7) into a separate paragraph, at
17 CFR 229.106(b)(2) (Regulation S-K ``Item 106(b)(2)''), instead of
including it in the enumerated list in Item 106(b)(1), and have added a
materiality qualifier in response to a comment.\228\ Item 106(b)(2)
requires a description of ``[w]hether any risks from cybersecurity
threats, including as a result of any previous cybersecurity incidents,
have materially affected or are reasonably likely to materially affect
the registrant, including its business strategy, results of operations,
or financial condition and if so, how.'' \229\
---------------------------------------------------------------------------
\228\ See letter from PWC.
\229\ With respect to the Item 106(b)(2)'s requirement to
describe any risks as a result of any previous cybersecurity
incidents, see supra Section II.B.3 for a discussion of the duties
to correct or update prior disclosure that registrants may have in
certain circumstances. As we note in that section, registrants
should consider whether they need to revisit or refresh previous
disclosure, including during the process of investigating a
cybersecurity incident.
---------------------------------------------------------------------------
The final rules will require disclosure of whether a registrant
engages assessors, consultants, auditors, or other third parties in
connection with their cybersecurity because we believe it is important
for investors to know a registrant's level of in-house versus
outsourced cybersecurity capacity. We understand that many registrants
rely on third-party service providers for some portion of their
cybersecurity, and we believe this information is accordingly necessary
for investors to assess a company's cybersecurity risk profile in
making investment decisions. However, we are not persuaded, as one
commenter contended, that registrants should be required to name the
third parties (though they may choose to do so), because we believe
this may magnify concerns about increasing a company's cybersecurity
vulnerabilities. For the same reason, we decline the commenter
suggestion to require a description of the services provided by third
parties.
We are also not persuaded that risk quantification or other
quantifiable metrics are appropriate as mandatory elements of a
cybersecurity disclosure framework. While such metrics may be used by
registrants and investors in the future, commenters did not identify
any such metrics that would be appropriate to mandate at this time.
Additionally, to the extent that a registrant uses any quantitative
metrics in assessing or managing cybersecurity risks, it may disclose
such information voluntarily. For similar reasons, we decline
commenters' recommendations to require disclosure of independent
assessments and audits, as well as commenters' recommendations on
disclosure of use of the NIST framework, and on distinguishing between
continuous and periodic risk assessment.
We decline the commenter suggestion to allow Item 106(b) disclosure
to be provided in the proxy statement, as the proxy statement is
generally confined to information pertaining to the election of
directors. We are also not requiring Item 106 disclosures in
registration statements as recommended by the IAC, consistent with our
efforts to reduce the burdens associated with the final rule. However,
as discussed further below,\230\ we reiterate the Commission's guidance
from the 2018 Interpretive Release that ``[c]ompanies should consider
the materiality of cybersecurity risks and incidents when preparing the
disclosure that is required in registration statements.'' \231\
Finally, we note that registrants may satisfy the Item 106 disclosure
requirements through incorporation by reference pursuant to 17 CFR
240.12b-23 (``Rule 12b-23'').\232\
---------------------------------------------------------------------------
\230\ See infra text accompanying notes 355 and 356.
\231\ 2018 Interpretive Release at 8168.
\232\ As required by Rule 12b-23, in order to incorporate
information by reference in answer, or partial answer, to Item 106,
a registrant must, among other things, include an active hyperlink
if the information is publicly available on EDGAR.
---------------------------------------------------------------------------
2. Governance
a. Proposed Amendments
The Commission proposed to add 17 CFR 229.106(c) (Regulation S-K
``Item 106(c)'') to require a description of management and the board's
oversight of a registrant's cybersecurity risk. This information would
complement the proposed risk management and strategy disclosure by
clarifying for investors how a registrant's leadership oversees and
implements its cybersecurity processes.\233\ Proposed 17 CFR
229.106(c)(1) (Regulation S-K ``Item 106(c)(1)'') would focus on the
board's role, requiring discussion, as applicable, of:
---------------------------------------------------------------------------
\233\ Proposing Release at 16600.
---------------------------------------------------------------------------
<bullet> Whether the entire board, specific board members, or a
board committee is responsible for the oversight of cybersecurity
risks;
<bullet> The processes by which the board is informed about
cybersecurity risks, and the frequency of its discussions on this
topic; and
<bullet> Whether and how the board or board committee considers
cybersecurity risks as part of its business strategy, risk management,
and financial oversight.
Proposed 17 CFR 229.106(c)(2) (Regulation S-K ``Item 106(c)(2)'')
meanwhile would require a description of management's role in assessing
and managing cybersecurity-related risks, as well as its role in
implementing the registrant's cybersecurity policies, procedures, and
strategies, including at a minimum discussion of:
<bullet> Whether certain management positions or committees are
responsible for measuring and managing cybersecurity risk, specifically
the prevention, mitigation, detection, and remediation of cybersecurity
incidents, and the relevant expertise of such persons or members;
<bullet> Whether the registrant has a designated chief information
security officer, or someone in a comparable position, and if so, to
whom that individual reports within the registrant's organizational
chart, and the relevant expertise of any such persons;
<bullet> The processes by which such persons or committees are
informed about and monitor the prevention, mitigation, detection, and
remediation of cybersecurity incidents; and
[[Page 51914]]
<bullet> Whether and how frequently such persons or committees
report to the board of directors or a committee of the board of
directors on cybersecurity risk.
The Proposing Release explained that proposed Item 106(c)(1) would
reinforce the Commission's 2018 Interpretive Release,\234\ which said
that disclosure on how a board engages management on cybersecurity
helps investors assess the board's exercise of its oversight
responsibility.\235\ The Proposing Release noted that proposed Item
106(c)(2) would be of importance to investors in that it would help
investors understand how registrants are planning for cybersecurity
risks and inform their decisions on how best to allocate their
capital.\236\
---------------------------------------------------------------------------
\234\ Id. (citing 2018 Interpretive Release at 8170).
\235\ 2018 Interpretive Release at 8170.
\236\ Proposing Release at 16600.
---------------------------------------------------------------------------
b. Comments
A few commenters supported proposed Item 106(c) as providing
investors with more uniform and informed understanding of registrants'
governance of cybersecurity risks.\237\ A number of commenters opposed
proposed Item 106(c). They contended that the proposed Item 106(c)
disclosures would be too granular to be decision-useful; instead, some
of these commenters recommended that we limit the rule to a high-level
explanation of management and the board's role in cybersecurity risk
oversight.\238\
---------------------------------------------------------------------------
\237\ See, e.g., letters from Better Markets; CalPERS.
\238\ See letters from ABA; AGA/INGAA; EEI; Nareit; NYSE.
---------------------------------------------------------------------------
One commenter said proposed Item 106(c)(1) should be dropped
because it duplicates existing 17 CFR 229.407(h) (Regulation S-K ``Item
407(h)''), which requires reporting of material information regarding a
board's leadership structure and role in risk oversight, including how
it administers its oversight function.\239\ Others saw similarities
with Item 407(h) as well and suggested instead that proposed Item
106(c) be subsumed into Item 407, thus co-locating governance
disclosures.\240\
---------------------------------------------------------------------------
\239\ See letter from Davis Polk. The commenter went on to say
that, to the extent Item 106(c) requires disclosure of immaterial
information regarding the board, it should be dropped.
\240\ See letters from ABA; BDO; PWC.
---------------------------------------------------------------------------
In response to a request for comment in the Proposing Release on
whether the Commission should expressly provide for the use of
hyperlinks or cross-references in Item 106, one commenter supported the
use of hyperlinks and cross-references, but sought clarification of
whether the practice is already permitted under Commission rules.\241\
Another commenter opposed, saying Item 407(h)'s more general discussion
of board governance is distinct from Item 106(c)(1)'s specific focus on
cybersecurity.\242\ The commenter cautioned that allowing registrants
to employ hyperlinks and cross-references in Item 106 would lead to
``less detail,'' resulting in disclosure insufficient to investor
needs.\243\
---------------------------------------------------------------------------
\241\ See letter from E&Y.
\242\ See letter from Tenable.
\243\ Id.
---------------------------------------------------------------------------
One commenter recommended that we move proposed Item 106(c)(2) to
the enumerated list of topics called for in proposed Item 106(b).\244\
Another commenter suggested expanding the rule to include disclosure of
management and staff training on cybersecurity, asserting that the
information is useful to investors because policies depend on staff for
successful implementation.\245\ Two commenters suggested allowing the
Item 106(c) disclosures to be made in the proxy statement.\246\
---------------------------------------------------------------------------
\244\ See letter from Davis Polk.
\245\ See letter from PRI.
\246\ See letters from Business Roundtable; Nasdaq.
---------------------------------------------------------------------------
c. Final Amendments
In response to comments, and aligned with our changes to Item
106(b), we have streamlined Item 106(c) to require disclosure that is
less granular than proposed. Under Item 106(c)(1) as adopted,
registrants must ``[d]escribe the board's oversight of risks from
cybersecurity threats,'' and, if applicable, ``identify any board
committee or subcommittee responsible'' for such oversight ``and
describe the processes by which the board or such committee is informed
about such risks.'' We have removed proposed Item 106(c)(1)(iii), which
had covered whether and how the board integrates cybersecurity into its
business strategy, risk management, and financial oversight. While we
have also removed the proposed Item 106(c)(1)(ii) requirement to
disclose ``the frequency of [the board or committee's] discussions'' on
cybersecurity, we note that, depending on context, some registrants'
descriptions of the processes by which their board or relevant
committee is informed about cybersecurity risks may include discussion
of frequency.\247\
---------------------------------------------------------------------------
\247\ For example, if the board or committee relies on periodic
(e.g., quarterly) presentations by the registrant's chief
information security officer to inform its consideration of risks
from cybersecurity threats, the registrant may, in the course of
describing those presentations, also note their frequency.
---------------------------------------------------------------------------
Given these changes, we find that Item 407(h) and Item 106(c)(1) as
adopted serve distinct purposes and should not be combined, as
suggested by some commenters--the former requires description of the
board's leadership structure and administration of risk oversight
generally, while the latter requires detail of the board's oversight of
specific cybersecurity risk. As noted by one commenter,\248\ to the
extent these disclosures are duplicative, a registrant would be able to
incorporate such information by reference.\249\
---------------------------------------------------------------------------
\248\ See letter from E&Y.
\249\ Rule 12b-23.
---------------------------------------------------------------------------
We have also modified Item 106(c)(2) to add a materiality
qualifier, to make clear that registrants must ``[d]escribe
management's role in assessing and managing the registrant's material
risks from cybersecurity threats'' (emphasis added).\250\ The
enumerated disclosure elements now constitute a ``non-exclusive list''
registrants should consider including. We have revised the first
element to require the disclosure of management positions or committees
``responsible for assessing and managing such risks, and the relevant
expertise of such persons or members in such detail as necessary to
fully describe the nature of the expertise.'' Because this requirement
would typically encompass identification of whether a registrant has a
chief information security officer, or someone in a comparable
position, we are not adopting the proposed second element that would
have specifically called for disclosure of whether the registrant has a
designated chief information security officer. Given our purpose of
streamlining the disclosure requirements, we also are not adopting the
proposed requirement to disclose the frequency of management-board
discussions on cybersecurity, though, as noted above, discussion of
frequency may in some cases be included as part of describing the
processes by which the board or relevant committee is informed about
cybersecurity risks in compliance with Item 106(c)(1), to the extent it
is relevant to an understanding of the board's oversight of risks from
cybersecurity threats.
---------------------------------------------------------------------------
\250\ We have not added a materiality qualifier to Item
106(c)(1) because, if a board of directors determines to oversee a
particular risk, the fact of such oversight being exercised by the
board is material to investors. By contrast, management oversees
many more matters and management's oversight of non-material matters
is likely not material to investors, so a materiality qualifier is
appropriate for Item 106(c)(2).
---------------------------------------------------------------------------
Thus, as adopted, Item 106(c)(2) directs registrants to consider
disclosing the following as part of a description of management's role
in assessing and managing the registrant's material risks from
cybersecurity threats:
<bullet> Whether and which management positions or committees are
responsible
[[Page 51915]]
for assessing and managing such risks, and the relevant expertise of
such persons or members in such detail as necessary to fully describe
the nature of the expertise;
<bullet> The processes by which such persons or committees are
informed about and monitor the prevention, detection, mitigation, and
remediation of cybersecurity incidents; and
<bullet> Whether such persons or committees report information
about such risks to the board of directors or a committee or
subcommittee of the board of directors.
As many commenters recommended, these elements are limited to
disclosure that we believe balances investors' needs to understand a
registrant's governance of risks from cybersecurity threats in
sufficient detail to inform an investment or voting decision with
concerns that the proposal could inadvertently pressure registrants to
adopt specific or inflexible cybersecurity-risk governance practices or
organizational structures. We do not believe these disclosures should
be subsumed into Item 106(b), as one commenter recommended, because
identifying the management committees and positions responsible for
risks from cybersecurity threats is distinct from describing the
cybersecurity practices management has deployed. We also decline the
commenter suggestion to require disclosure of management and staff
training on cybersecurity; registrants may choose to make such
disclosure voluntarily. Finally, we decline the commenter suggestion to
allow Item 106(c) disclosure to be provided in the proxy statement;
governance information in the proxy statement is generally meant to
inform shareholders' voting decisions, whereas Item 106(c) disclosure
informs investors' assessment of investment risk.
3. Definitions
a. Proposed Definitions
The Commission proposed to define three terms to delineate the
scope of the amendments: ``cybersecurity incident,'' ``cybersecurity
threat,'' and ``information systems.'' \251\ Proposed 229 CFR
229.106(a) (Regulation S-K ``Item 106(a)'') would define them as
follows:
---------------------------------------------------------------------------
\251\ Proposing Release at 16600-16601.
---------------------------------------------------------------------------
<bullet> Cybersecurity incident means an unauthorized occurrence on
or conducted through a registrant's information systems that
jeopardizes the confidentiality, integrity, or availability of a
registrant's information systems or any information residing therein.
<bullet> Cybersecurity threat means any potential occurrence that
may result in an unauthorized effort to adversely affect the
confidentiality, integrity or availability of a registrant's
information systems or any information residing therein.
<bullet> Information systems means information resources, owned, or
used by the registrant, including physical or virtual infrastructure
controlled by such information resources, or components thereof,
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of the registrant's information to
maintain or support the registrant's operations.
As noted above, the Commission explained that what constitutes a
``cybersecurity incident'' should be construed broadly, encompassing a
range of event types.\252\
---------------------------------------------------------------------------
\252\ Id. at 16601.
---------------------------------------------------------------------------
b. Comments
Most commenters that offered feedback on the proposed definitions
suggested narrowing them in some fashion. On ``cybersecurity
incident,'' many commenters urged limiting the definition to cases of
actual harm, thereby excluding incidents that had only the potential to
cause harm.\253\ They suggested accomplishing this by replacing
``jeopardizes'' with phrases such as ``adversely affects'' or ``results
in substantial loss of.'' \254\ One of these commenters noted that such
a change would more closely align the definition with that in
CIRCIA.\255\ Other commenters objected to the definition's use of ``any
information'' as overbroad, saying it would lead to inconsistent
application.\256\ One commenter sought clarification of whether the
definition encompasses accidental incidents, such as chance technology
outages, that do not involve a malicious actor,\257\ while another
commenter advocated broadening the definition to any incident
materially disrupting operations, regardless of what precipitated
it.\258\
---------------------------------------------------------------------------
\253\ See letters from ABA; BPI et al.; Chamber et al.; Davis
Polk; Enbridge; FDD; FEI; Hunton; PWC; SCG; SIFMA.
\254\ See letters from BPI et al.; Hunton.
\255\ See letter from BPI et al. (``The word `jeopardizes'
should be replaced with `results in substantial loss of' to capture
incidents that are causing some actual harm, and to better harmonize
the definition with the reporting standard set forth by Congress in
CIRCIA.'').
\256\ See letters from Deloitte; SIFMA.
\257\ See letter from CSA.
\258\ See letter from Crindata.
---------------------------------------------------------------------------
On ``cybersecurity threat,'' commenters urged narrowing the rule by
replacing the language ``may result in'' with ``could reasonably be
expected to result in'' or some other probability threshold.\259\ One
stated that ``the use of a `may' standard establishes an unhelpfully
low standard that would require registrants to establish policies and
procedures to identify threats that are potentially overbroad and not
appropriately tailored to those threats that are reasonably
foreseeable.'' \260\ In a similar vein, two commenters objected to the
language ``any potential occurrence'' as over-inclusive and lacking
``instructive boundaries.'' \261\
---------------------------------------------------------------------------
\259\ See letters from Chevron; Debevoise; NYC Bar.
\260\ See letter from Debevoise.
\261\ See letters from Chevron; Deloitte.
---------------------------------------------------------------------------
On ``information systems,'' many commenters favored replacing
``owned or used by'' with ``owned or operated by,'' ``owned or
controlled by,'' or like terms, so that registrants' reporting
obligations stop short of incidents on third-party information
systems.\262\ A few commenters said the definition could be construed
to cover hard-copy information and should be revised to foreclose such
a reading.\263\
---------------------------------------------------------------------------
\262\ See letters from ABA; APCIA; Business Roundtable; Chamber;
Cybersecurity Coalition; ISA; ITI; NAM; NDIA; Paylocity. Other
commenters made similar arguments about third party systems without
speaking specifically to the definition, saying, for example, that
registrants may not have sufficient visibility into third-party
systems and may be bound by confidentiality agreements. See letters
from AIA; EIC; FAH; NMHC; SIFMA.
\263\ See letters from ABA; BPI et al.; Enbridge.
---------------------------------------------------------------------------
More broadly, many commenters advised the Commission to align these
definitions with comparable definitions in other Federal laws and
regulations, such as CIRCIA and NIST.\264\ One commenter explained that
``[a]ligning definitions with those in existing federal laws and
regulations would help ensure that the defined terms are consistently
understood, interpreted and applied in the relevant disclosure.'' \265\
However, another commenter cautioned against aligning with definitions,
such as those of NIST, that were developed with a view toward internal
risk management and response rather than external reporting; the
commenter identified CIRCIA and the Federal banking regulators'
definitions as more apposite.\266\ One commenter noted that additional
proposed defined terms were included in the Commission's rulemaking
release Cybersecurity Risk Management for Investment Advisers,
Registered Investment Companies, and Business Development Companies
\267\ that were not included in the Proposing Release and recommended
that we
[[Page 51916]]
``consider whether the defined terms should be consistent.'' \268\
---------------------------------------------------------------------------
\264\ See letters from ABA; CAQ; Chevron; FEI; IC; IIA;
Microsoft; PWC; SandboxAQ; SIFMA.
\265\ See letter from ABA.
\266\ See letter from SCG.
\267\ Release No. 33-11028 (Feb. 9, 2022) [87 FR 13524 (Mar. 9,
2022)].
\268\ See letter from Deloitte.
---------------------------------------------------------------------------
In the Proposing Release, the Commission asked whether to define
other terms used in the proposed amendments, and specifically sought
comment on whether a definition of ``cybersecurity'' would be
useful.\269\ Several commenters supported defining ``cybersecurity,''
\270\ reasoning, for example, that any rulemaking on cybersecurity
should define that baseline term; \271\ that, left undefined, the term
would be open to varying interpretations; \272\ and that details such
as whether hardware is covered should be resolved.\273\ Separately, two
commenters recommended the Commission define ``operational
technology,'' \274\ with one explaining that the ``proposed definitions
understandably focus on data breaches, which are a major cybersecurity
threat, but we believe an operational technology breach could have even
more detrimental effects in certain cases (such as for ransomware
attacks that have impacted critical infrastructure) and warrants
disclosure guidance from the Commission.'' \275\
---------------------------------------------------------------------------
\269\ Proposing Release at 16601.
\270\ See letters from BCS; Blue Lava; EIC; R. Hackman; R
Street.
\271\ See letter from R Street.
\272\ See letter from Blue Lava.
\273\ See letter from BCS.
\274\ See letters from Chevron; EIC.
\275\ See letter from Chevron.
---------------------------------------------------------------------------
Several commenters also sought either a formal definition or more
guidance on the term ``material'' specific to the cybersecurity
space.\276\ Some read the proposal, particularly the incident examples
provided in the Proposing Release, as lowering the bar for materiality
and being overly subjective, which they indicated may result in over-
reporting of cybersecurity incidents or introduce uncertainty, and they
urged the Commission to affirm the standard materiality
definition.\277\ Another commenter sought cybersecurity-specific
guidance on materiality, including ``concrete thresholds to assist
registrants in determining materiality.'' \278\ A few commenters
recommended conditioning the materiality determination on the
underlying information being verified to ``a high degree of
confidence'' and ``unlikely to materially change,'' \279\ while one
commenter looked to replace materiality altogether with a significance
standard like that in CIRCIA.\280\
---------------------------------------------------------------------------
\276\ See letters from ACLI; AIC; AICPA; APCIA; Bitsight; Harry
Broadman, Eric Matrejek, and Brad Wilson (``Broadman et al.'');
Debevoise; EIC; International Information System Security
Certification Consortium (``ISC2''); M. Barragan; NYC Bar; Prof.
Perullo; R Street; SIFMA; TransUnion; Virtu.
\277\ See letters from APCIA; ACLI; EIC; Virtu.
\278\ See letter from SIFMA.
\279\ See letters from Debevoise; NYC Bar. See also letter from
AIC (suggesting ``unlikely to change,'' without ``materially'').
\280\ See letter from National Electrical Manufacturers
Association (``NEMA'').
---------------------------------------------------------------------------
c. Final Definitions
We are adopting definitions for ``cybersecurity incident,''
``cybersecurity threat,'' and ``information systems'' largely as
proposed, with three modifications.
First, on ``cybersecurity incident,'' we are adding the phrase ``or
a series of related unauthorized occurrences'' to the ``cybersecurity
incident'' definition. This reflects our guidance in Section II.B.3
above that a series of related occurrences may collectively have a
material impact or reasonably likely material impact and therefore
trigger Form 8-K Item 1.05, even if each individual occurrence on its
own would not rise to the level of materiality. Second, we are making a
clarifying edit to ``information systems.'' Some commenters said the
definition could be construed to cover hard-copy resources.\281\ We
recognize that reading is possible, if unlikely and unintended, and we
are therefore inserting ``electronic'' before ``information
resources,'' to ensure the rules pertain only to electronic resources.
Third, we are making minor revisions to the ``cybersecurity threat''
definition for clarity and to better align it with the ``cybersecurity
incident'' definition.
---------------------------------------------------------------------------
\281\ See letters from ABA; BPI et al.; Enbridge.
---------------------------------------------------------------------------
Accordingly, the definitions are as follows:
<bullet> Cybersecurity incident means an unauthorized occurrence,
or a series of related unauthorized occurrences, on or conducted
through a registrant's information systems that jeopardizes the
confidentiality, integrity, or availability of a registrant's
information systems or any information residing therein.
<bullet> Cybersecurity threat means any potential unauthorized
occurrence on or conducted through a registrant's information systems
that may result in adverse effects on the confidentiality, integrity or
availability of a registrant's information systems or any information
residing therein.
<bullet> Information systems means electronic information
resources, owned or used by the registrant, including physical or
virtual infrastructure controlled by such information resources, or
components thereof, organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of the
registrant's information to maintain or support the registrant's
operations.
We recognize commenters' concern regarding the term ``jeopardizes''
in the proposed ``cybersecurity incident'' definition and the resulting
scope of the definition. Nonetheless, we note that the definition is
not self-executing; rather it is operationalized by Item 1.05, which is
conditioned on the incident having been material to the registrant.
Typically that would entail actual harm, though the harm may sometimes
be delayed, and a material cybersecurity incident may not result in
actual harm in all instances. For example, a company whose intellectual
property is stolen may not suffer harm immediately, but it may foresee
that harm will likely occur over time as that information is sold to
other parties, such that it can determine materiality before the harm
occurs. The reputational harm from a breach may similarly increase over
time in a foreseeable manner. There may also be cases, even if
uncommon, where the jeopardy caused by a cybersecurity incident
materially affects the company, even if the incident has not yet caused
actual harm. In such circumstances, we believe investors should be
apprised of the material effects of the incident. We are therefore
retaining the word ``jeopardizes'' in the definition.
We are not persuaded that the proposed ``cybersecurity incident''
definition's use of ``any information'' would lead to inconsistent
application of the definition among issuers or cause a risk of over-
reporting, as suggested by some commenters. As noted above, the
``cybersecurity incident'' definition is operationalized by Item 1.05.
Item 1.05 does not require disclosure whenever ``any information'' is
affected by an intruder. Disclosure is triggered only when the
resulting effect of an incident on the registrant is material.
We are also retaining ``unauthorized'' in the incident definition
as proposed. In general, we believe that an accidental occurrence is an
unauthorized occurrence. Therefore, we note that an accidental
occurrence may be a cybersecurity incident under our definition, even
if there is no confirmed malicious activity. For example, if a
company's customer data are accidentally exposed, allowing unauthorized
access to such data, the data breach would constitute a ``cybersecurity
incident'' that would necessitate a materiality analysis to determine
whether disclosure under Item 1.05 of Form 8-K is required.
On ``cybersecurity threat,'' we appreciate commenters' concerns
with
[[Page 51917]]
the proposed definition's use of ``may result in'' and ``any potential
occurrence.'' Unlike with ``cybersecurity incident,'' where the
interplay of the proposed definition with proposed Item 1.05 ensured
only material incidents would become reportable, proposed Item 106(b)'s
reference to ``the identification and management of risks from
cybersecurity threats'' was not qualified by materiality. We are
therefore adding a materiality condition to Item 106(b). As adopted,
Item 106(b) will require disclosure of registrants' processes to
address the material risks of potential occurrences that could
reasonably result in an unauthorized effort to adversely affect the
confidentiality, integrity, or availability of a registrant's
information systems. Given the addition of a materiality condition to
Item 106(b), we do not believe that further revision to the
``cybersecurity threat'' definition is warranted.
On ``information systems,'' we decline to change ``owned or used
by'' to ``owned or operated by,'' ``owned or controlled by,'' or
similar terms advanced by commenters. Commenters recognized that ``used
by'' covers information resources owned by third parties. That is by
design: covering third party systems is essential to the working of
Item 106 of Regulation S-K and Item 1.05 of Form 8-K. As we explain
above, in Section II.A.3, the materiality of a cybersecurity incident
is contingent neither on where the relevant electronic systems reside
nor on who owns them, but rather on the impact to the registrant. We do
not believe that a reasonable investor would view a significant data
breach as immaterial merely because the data are housed on a cloud
service. If we were to remove ``used by,'' a registrant could evade the
disclosure requirements of the final rules by contracting out all of
its information technology needs to third parties. Accordingly, the
definition of ``information systems'' contemplates those resources
owned by third parties and used by the registrant, as proposed.
In considering commenters' suggestion to align our definitions with
CIRCIA, NIST, and other Federal regulations, we observe that there is
no one standard definition for these terms, and that regulators have
adopted definitions based on the specific contexts applicable to their
regulations. Nonetheless, we also observe that the final
``cybersecurity incident'' definition is already similar to the CIRCIA
and NIST incident definitions, in that all three focus on the
confidentiality, integrity, and availability of information
systems.\282\ Our definition of ``information systems'' also tracks
CIRCIA and NIST, as all three cover ``information resources'' that are
``organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition'' of information.\283\ Of course, the
definitions do not match precisely, but some variation is inevitable
where various Federal laws and regulations have different purposes,
contexts, and goals. We therefore find that further alignment is not
needed.
---------------------------------------------------------------------------
\282\ For CIRCIA, see supra note 19, at sec. 103, 136 Stat.
1039; and 6 U.S.C. 681b(c)(2)(A)(i). For NIST, see Incident,
Glossary, NIST Computer Security Resource Center, available at
<a href="https://csrc.nist.gov/glossary/term/incident">https://csrc.nist.gov/glossary/term/incident</a>.
\283\ For CIRCIA, see supra note 19, at sec. 103, 136 Stat.
1039; and 44 U.S.C. 3502(8). For NIST, see Information System,
Glossary, NIST Computer Security Resource Center, available at
<a href="https://csrc.nist.gov/glossary/term/information_system">https://csrc.nist.gov/glossary/term/information_system</a>.
---------------------------------------------------------------------------
We decline to define any other terms. We acknowledge commenters who
asked for additional guidance regarding the application of a
materiality determination to cybersecurity or sought to replace
materiality with a significance standard. As noted in the Proposing
Release, however, we expect that registrants will apply materiality
considerations as would be applied regarding any other risk or event
that a registrant faces. Carving out a cybersecurity-specific
materiality definition would mark a significant departure from current
practice, and would not be consistent with the intent of the final
rules.\284\ Accordingly, we reiterate, consistent with the standard set
out in the cases addressing materiality in the securities laws, that
information is material if ``there is a substantial likelihood that a
reasonable shareholder would consider it important'' \285\ in making an
investment decision, or if it would have ``significantly altered the
`total mix' of information made available.'' \286\ Because
materiality's focus on the total mix of information is from the
perspective of a reasonable investor, companies assessing the
materiality of cybersecurity incidents, risks, and related issues
should do so through the lens of the reasonable investor. Their
evaluation should take into consideration all relevant facts and
circumstances, which may involve consideration of both quantitative and
qualitative factors. Thus, for example, when a registrant experiences a
data breach, it should consider both the immediate fallout and any
longer term effects on its operations, finances, brand perception,
customer relationships, and so on, as part of its materiality analysis.
We also note that, given the fact-specific nature of the materiality
determination, the same incident that affects multiple registrants may
not become reportable at the same time, and it may be reportable for
some registrants but not others.
---------------------------------------------------------------------------
\284\ See, e.g., Basic Inc. v. Levinson, 485 U.S. 224, 236
(1988) (``[a]ny approach that designates a single fact or occurrence
as always determinative of an inherently fact-specific finding such
as materiality, must necessarily be overinclusive or
underinclusive'').
\285\ TSC Indus. v. Northway, 426 U.S. 438, 449 (1976); Matrixx
Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic, 485
U.S. at 240.
\286\ Id. See also the definition of ``material'' in 17 CFR
230.405 [Securities Act Rule 405]; 17 CFR 240.12b-2 [Exchange Act
Rule 12b-2].
---------------------------------------------------------------------------
We also decline to separately define ``cybersecurity,'' as
suggested by some commenters. We do not believe such further definition
is necessary, given the broad understanding of this term. To that end,
we note that the cybersecurity industry itself appears not to have
settled on an exact definition, and because the field is quickly
evolving and is expected to continue to evolve over time, any
definition codified in regulation could soon become stale as technology
develops. Likewise, the final rules provide flexibility by not defining
``cybersecurity,'' allowing a registrant to determine meaning based on
how it considers and views such matters in practice, and on how the
field itself evolves over time.
We decline to define ``operational technology'' as suggested by
some commenters because the term does not appear in the rules we are
adopting.
D. Disclosure Regarding the Board of Directors' Cybersecurity Expertise
1. Proposed Amendments
Congruent with proposed Item 106(c)(2) on the board's oversight of
cybersecurity risk, the Commission proposed adding 17 CFR 229.407(j)
(Regulation S-K ``Item 407(j)'') to require disclosure about the
cybersecurity expertise, if any, of a registrant's board members.\287\
The proposed rule did not define what constitutes expertise, given the
wide-ranging nature of cybersecurity skills, but included a non-
exclusive list of criteria to consider, such as prior work experience,
certifications, and the like. As proposed, paragraph (j) would build on
existing 17 CFR 229.401(e) (Regulation S-K ``Item 401(e)'') (business
experience of directors) and Item 407(h) (board risk oversight), and
would be required in the annual report on Form 10-K and in the proxy or
information statement when action is to be taken on the election of
directors. Thus, the Proposing Release said,
[[Page 51918]]
proposed Item 407(j) would help investors in making both investment and
voting decisions.\288\
---------------------------------------------------------------------------
\287\ Proposing Release at 16601.
\288\ Id.
---------------------------------------------------------------------------
The Commission also proposed to include a safe harbor in 17 CFR
229.407(j)(2) (Regulation S-K ``Item 407(j)(2)'') providing that any
directors identified as cybersecurity experts would not be deemed
experts for liability purposes, including under Section 11 of the
Securities Act.\289\ This was intended to clarify that identified
directors do not assume any duties, obligations, or liabilities greater
than those assumed by non-expert directors.\290\ Nor would such
identification decrease the duties, obligations, and liabilities of
non-expert directors relative to identified directors.\291\
---------------------------------------------------------------------------
\289\ Id. at 16602.
\290\ Id.
\291\ Id.
---------------------------------------------------------------------------
2. Comments
Proposed Item 407(j) garnered significant comment. Supporters wrote
that understanding a board's level of cybersecurity expertise is
important to assessing a company's ability to manage cybersecurity
risk.\292\ For example, one commenter said ``[b]oard cybersecurity
expertise serves as a useful starting point for investors to assess a
company's approach to cybersecurity;'' \293\ while another commenter
said investors need the Item 407(j) disclosure ``[t]o cast informed
votes on directors.'' \294\ One comment letter submitted an academic
study by the authors of the letter and noted that its findings
``underscore the importance of understanding the role of boards in
cybersecurity oversight.'' \295\
---------------------------------------------------------------------------
\292\ See letters from O. Borges; CalPERS; Prof. Choudhary; CII;
Digital Directors Network (``DDN''); ISC2; Prof. Lowry et al.; NACD;
PRI; SANS Institute; SM4RT Secure.
\293\ See letter from PRI.
\294\ See letter from CII.
\295\ See letter from Prof. Lowry et al.
---------------------------------------------------------------------------
By contrast, many commenters argued cybersecurity risk is not
intrinsically different from other risks that directors assess with or
without specific technical expertise.\296\ For example, one reasoned
that, given the ``ever-changing range of risks confronting a company,''
directors require ``broad-based skills in risk and management
oversight, rather than subject matter expertise in one particular type
of risk.'' \297\ Commenters also predicted the disclosure requirement
would pressure companies to retain cybersecurity experts on their
board, and submitted there is not enough cybersecurity talent in the
marketplace at this time for all or most companies to do so.\298\ One
of these commenters further contended that finding such expertise will
be harder for smaller reporting companies.\299\ Another commenter
warned that, given the current cybersecurity talent pool, the end
result may be lower diversity on boards; \300\ and one said hiring
cybersecurity experts to the board may come at the expense of spending
on a company's cybersecurity defenses.\301\ Commenters also expressed
concern that the identified expert directors would face elevated risks,
such as being targeted by nation states for surveillance or hackers
attempting to embarrass them, thus creating
[…truncated; see source link]Indexed from Federal Register on August 4, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.