What has happened?
The US Securities and Exchange Commission (SEC) has proposed a broader, more prescriptive disclosure regime for cybersecurity incidents and cybersecurity risk management, strategy and governance that would also apply to SEC-reporting foreign private issuers (FPIs). This blog post looks at the potential implications for FPIs if the regime is adopted as proposed.
The proposal aims to enhance and standardise disclosure in this area and sets out more granular requirements than the SEC has previously used. It expands on and affirms earlier SEC cybersecurity guidance in 2018 which in turn reinforced Staff guidance given in 2011, both of which would remain in place. As a result, many aspects of the proposal are not new although some of the specifics are, for example requiring disclosure of whether there is any cybersecurity ‘expert’ on the board and their qualifications in that area.
The proposal is subject to a period of public comment which will end on 9 May 2022. It is possible that any final version of the regime may reflect changes as a result of the comment process.
The proposed regime focuses on two areas – disclosure of cybersecurity incidents and disclosure of cybersecurity risk management, strategy and governance.
Cybersecurity incident disclosure
As proposed, US domestic SEC-reporting companies would be required to report a material cybersecurity event within four business days of determining it is material, using a current report on Form 8-K.
By contrast, FPIs would be encouraged (but not legally required) to report a material cybersecurity event only ‘promptly’, using a current report on Form 6-K. This is because Form 6-K is a mechanism by which SEC-reporting FPIs promptly furnish to the SEC certain material disclosure they have already provided to shareholders, regulators or otherwise publicly, in their home jurisdiction, rather than a primary obligation to directly file disclosure with the SEC by a prescribed deadline.
However, the proposal would require various new disclosures by FPIs in their Form 20-F annual report, including any previously undisclosed material cybersecurity incidents that have occurred during the financial year. This proposed requirement includes disclosing a series of individually immaterial cybersecurity incidents that has become material in the aggregate. It also includes updating any earlier disclosure on cybersecurity incidents on Form 6-K where there are material changes to that disclosure in the financial year.
Although not subject to the four-business day filing deadline, the proposed requirements mean that FPIs would need to keep track of their cybersecurity incidents, including assessing their materiality, for 20-F purposes.
There is the further point that US-listed companies, whether FPI or domestic, are already subject to certain disclosure requirements imposed by exchange listing rules. For example, the NYSE has a timely alert policy which requires listed companies to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.” Similarly, Nasdaq requires listed companies to “make prompt disclosure to the public of any material information that would reasonably be expected to affect the value of its securities or influence investors’ decisions.” These required disclosures can include cybersecurity incidents where material but would not necessarily include all the information domestic registrants would be required to include on Form 8-K (as described below).
If the rules are adopted as proposed, what is unknown is whether US-listed FPIs might come under market pressure to approach matching the four-business day deadline for reporting material cybersecurity incidents as a matter of best practice or, particularly for US-listed FPIs with no listing elsewhere, when complying with NYSE’s timely alert policy or the Nasdaq equivalent. This could result in FPIs filing cybersecurity-related 6-Ks more frequently and on a tighter timeframe where there is no express legal obligation to do so.
What must be disclosed by FPIs on Form 20-F
Annually in their Form 20-F, FPIs would need to disclose material cyber incidents (including a series of immaterial incidents that in the aggregate has become material) and updates to any earlier report on Form 6-K.
Initial disclosure of a material incident would include (not an exclusive list)
- a general description of when the incident was discovered and whether it is ongoing
- a brief description of its nature and scope
- whether any data was stolen or altered in connection with the incident
- its effect on the company’s operations
- whether the company has remediated it or is still working on that
Update to an earlier report on Form 6-K would include (not an exclusive list)
- did the incident have any material effect on the company’s operation and financial condition and are there any potential material future impacts on same?
- has the company remediated the incident or is it still working on that?
- has the company made any changes to its policies or procedures as a result of the incident and how may the incident have informed such changes?
US domestic SEC-reporting companies would be required to make the same disclosures about material cyber incidents but on Form 8-K and within the four-business day deadline noted above.
What is material?
The meaning is consistent with the use of the term in US securities law. In that context, information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available. Under the proposed rules, a company would need to carefully assess whether the cybersecurity incident is material in light of the specific circumstances by using a well-reasoned, objective approach from a reasonable investor’s perspective, based on the total mix of information.
The materiality analysis under NYSE’s timely alert policy and the Nasdaq equivalent is effectively the same, although the specific disclosures proposed in the SEC’s release (for domestic issuers on 8-K and for FPIs in the 20-F) may not be strictly required. Issuers with listings on exchanges which are subject to the EU or UK market abuse regimes are likely to find that the requirement to publish “inside information” (which would also be furnished to the SEC on 6-K by a US-listed FPI) overlaps with the SEC’s approach in this proposal, but again, the proposed specific disclosures may not be prescribed.
Disclosing cybersecurity risk management, strategy and governance in Annual and Periodic Reports
Here the proposed disclosure requirements for FPIs and domestic issuers are the same, except that domestic issuers are also required to file quarterly reports and proxy statements that would include the new cybersecurity disclosure while FPIs file only annual reports.
Overall, the proposed requirements fall into two buckets – first, risk management and strategy disclosure and second, governance disclosure.
Risk management and strategy cover describing, where applicable, the company’s policies and procedures for identifying and managing risks from cybersecurity threats, including operational risk; intellectual property theft; fraud and extortion; harm to employees or customers; violation of privacy laws and other legal risk; and reputational risk. The proposal gives a list of eight topics the discussion should include (as applicable) including whether there is a risk assessment programme and whether it involves outside professionals; are there policies and procedures to oversee and identify cybersecurity risks associated with using a third party service provider; does the company try to prevent, detect and minimise cybersecurity incidents and have previous incidents informed changes in the company’s governance, policies and procedures or technology; whether cybersecurity risks and previous incidents have or are reasonably likely to affect strategy, business model, results of operations or financial condition; and finally, whether cybersecurity risks are considered as part of business strategy, financial planning and capital allocation.
Governance covers describing
- the board’s role in cybersecurity risk oversight and governance including whether the board considers cybersecurity as part of its business strategy, risk management and financial oversight
- management’s role in assessing and managing cybersecurity risk as well as its role in implementing the related cybersecurity policies and procedures
- Director and management-level cybersecurity expertise
As with the proposed requirements for cybersecurity incident reporting, if these proposed wide-ranging requirements are adopted as proposed, it is unclear where market practice might drive disclosure and thereby governance and risk management and strategy on the ground; reporting companies could seek to avoid appearing to be on the back foot compared to their competitors in this enterprise-critical area.
The SEC’s policy behind this proposal was articulated by SEC Chair Gary Gensler when the proposal was made: “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner”.
For more details of the proposed regime, including as it would apply to US domestic SEC-reporting companies, please see our earlier blog post – SEC proposes cybersecurity disclosure rules.