E. Disclosure by Foreign Private Issuers
G. Applicability to Certain Issuers
- Summary of the Collections of Information
- Summary of Comment Letters and Revisions to PRA Estimates
- Effects of the Amendments on the Collections of Information
- Incremental and Aggregate Burden and Cost Estimates for the Final Amendments
- Small Entities Subject to the Final Amendments
- Projected Reporting, Record Keeping, and other Compliance Requirements
- Agency Action to Minimize Effect on Small Entities
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 229, 232, 239, 240, and 249
[Release Nos. 33-11216; 34-97989; File No. S7-09-22]
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
AGENCY: Securities and Exchange Commission.
ACTION: Final rule.
The Securities and Exchange Commission (“Commission”) is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks. Lastly, the final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”).
DATES: Effective date: The amendments are effective [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. Compliance dates: See Section II.I (Compliance Dates).
FOR FURTHER INFORMATION CONTACT: Nabeel Cheema, Special Counsel, at (202) 551-3430, in the Office of Rulemaking, Division of Corporation Finance; and, with respect to the application of the rules to business development companies, David Joire, Senior Special Counsel, at (202) 551-6825 or IMOCC@sec.gov, Chief Counsel’s Office, Division of Investment Management, U.S. Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: We are adopting amendments to:
|Commission Reference||CFR Citation (17 CFR)|
|Regulation S-K||§§229.10 through 229.1305|
|Items 106 and 601||§§229.106 and 229.601|
|Securities Act of 1933 (“Securities Act”)1||Form S-3||§239.13|
|Securities Exchange Act of 1934|
Security And Exchange Commission
1. Introduction and Background
On March 9, 2022, the Commission proposed new rules and rule and form amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incidents by public companies that are subject to the reporting requirements of the Exchange Act. The proposal followed on interpretive guidance on the application of existing disclosure requirements to cybersecurity risk and incidents that the Commission and staff had issued in prior years.
In particular, in 2011, the Division of Corporation Finance issued interpretive guidance providing the Division’s views concerning operating companies’ disclosure obligations relating to cybersecurity (“2011 Staff Guidance”). In that guidance, the staff observed that “ although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents,” and further that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” The guidance pointed specifically to disclosure obligations under 17 CFR 229.503 (Regulation S-K “Item 503(c)”) (Risk factors) (since moved to 17 CFR 229.105 (Regulation S-K “Item 105”)), 17 CFR 229.303 (Regulation S-K “Item 303”) (Management’s discussion and analysis of financial condition and results of operations), 17 CFR 229.101 (Regulation S-K “Item 101”) (Description of business), 17 CFR 229.103 (Regulation S-K “Item 103”) (Legal proceedings), and 17 CFR 229.307(Disclosure controls and procedures), as well as to Accounting Standards Codifications 350-40 (Internal-Use Software), 605-50 (Customer Payments and Incentives), 450-20 (Loss Contingencies), 275-10 (Risks and Uncertainties), and 855-10 (Subsequent Events).
In 2018, “in light of the increasing significance of cybersecurity incidents,” the Commission issued interpretive guidance to reinforce and expand upon the 2011 Staff Guidance and also address the importance of cybersecurity policies and procedures, as well as the application of insider trading prohibitions in the context of cybersecurity (“2018 Interpretive Release”). In addition to discussing the provisions previously covered in the 2011 Staff Guidance, the new guidance addressed 17 CFR 229.407 (Regulation S-K “Item 407”) (Corporate Governance), 17 CFR Part 210 (“Regulation S-X”), and 17 CFR Part 243 (“Regulation FD”). The 2018 Interpretive Release noted that companies can provide current reports on Form 8-K and Form 6-K to maintain the accuracy and completeness of effective shelf registration statements, and it also advised companies to consider whether it may be appropriate to implement restrictions on insider trading during the period following an incident and prior to disclosure.
As noted in the Proposing Release, current disclosure practices are varied. For example, while some registrants do report material cybersecurity incidents, most typically on Form 10-K, review of Form 8-K, Form 10-K, and Form 20-F filings by staff in the Division of Corporation Finance has shown that companies provide different levels of specificity regarding the cause, scope, impact, and materiality of cybersecurity incidents. Likewise, staff has also observed that, while the majority of registrants that are disclosing cybersecurity risks appear to be providing such disclosures in the risk factor section of their annual reports on Form 10-K, the disclosures are sometimes included with other unrelated disclosures, which makes it more difficult for investors to locate, interpret, and analyze the information provided.
In the Proposing Release, the Commission explained that a number of trends underpinned investors’ and other capital markets participants’ need for more timely and reliable information related to registrants’ cybersecurity than was produced following the 2011 Staff Guidance and the 2018 Interpretive Release. First, an ever-increasing share of economic activity is dependent on electronic systems, such that disruptions to those systems can have significant effects on registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole.Second, there has been a substantial rise in the prevalence of cybersecurity incidents, propelled by several factors: the increase in remote work spurred by the COVID-19 pandemic; the increasing reliance on third-party service providers for information technology services; and the rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and crypto-asset technology. Third, the costs and adverse consequences of cybersecurity incidents to companies are increasing; such costs include business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks, and reputational damage.
Since publication of the Proposing Release, these trends have continued apace, with significant cybersecurity incidents occurring across companies and industries. For example, threat actors repeatedly and successfully executed attacks on high-profile companies across multiple critical industries over the course of 2022 and the first quarter of 2023, causing the Department of Homeland Security’s Cyber Safety Review Board to initiate multiple reviews. Likewise, state actors have perpetrated multiple high-profile attacks, and recent geopolitical instability has elevated such threats. A recent study by two cybersecurity firms found that 98 percent of organizations use at least one third-party vendor that has experienced a breach in the last two years. In addition, recent developments in artificial intelligence may exacerbate cybersecurity threats, as researchers have shown that artificial intelligence systems can be leveraged to create code used in cyberattacks, including by actors not versed in programming. Overall, evidence suggests companies may be underreporting cybersecurity incidents.
Legislatively, we note two significant developments occurred following publication of the Proposing Release. First, the President signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) on March 15, 2022, as part of the Consolidated Appropriations Act of 2022. The centerpiece of CIRCIA is the reporting obligation placed on companies in defined critical infrastructure sectors. Once rules are adopted by the Cybersecurity & Infrastructure Security Agency (“CISA”), these companies will be required to report covered cyber incidents to CISA within 72 hours of discovery, and report ransom payments within 24 hours. Importantly, reports made to CISA pursuant to CIRCIA will remain confidential; while the information contained therein may be shared across Federal agencies for cybersecurity, investigatory, and law enforcement purposes, the information may not be disclosed publicly, except in anonymized form. We note that CIRCIA also mandated the creation of a “Cyber Incident Reporting Council . . . to coordinate, deconflict, and harmonize Federal incident reporting requirements” (the “CIRC”), of which the Commission is a member. Second, on December 21, 2022, the President signed into law the Quantum Computing Cybersecurity Preparedness Act, which directs the Federal government to adopt technology that is protected from decryption by quantum computing, a developing technology that may increase computer processing capacity considerably and thereby render existing computer encryption vulnerable to decryption.
We received over 150 comment letters in response to the Proposing Release. The majority of comments focused on the proposed incident disclosure requirement, although we also received substantial comment on the proposed risk management, strategy, governance, and board expertise requirements. In addition, the Commission’s Investor Advisory Committee adopted recommendations (“IAC Recommendation”) with respect to the proposal, stating that it: supports the proposed incident disclosure requirement; supports the proposed risk management, strategy, and governance disclosure requirements; recommends the Commission reconsider the proposed board of directors’ cybersecurity expertise disclosure requirement; suggests requiring companies to disclose the key factors they used to determine the materiality of a reported cybersecurity incident; and suggests extending the proposed 17 CFR 229.106 (Regulation S-K “Item 106”) disclosure requirements to registration statements.
We are making a number of important changes from the Proposing Release in response to comments received. With respect to incident disclosure, we are narrowing the scope of disclosure, adding a limited delay for disclosures that would pose a substantial risk to national security or public safety, requiring certain updated incident disclosure on an amended Form 8-K instead of Forms 10-Q and 10-K for domestic registrants, and on Form 6-K instead of Form 20-F for foreign private issuers (“FPIs”), and omitting the proposed aggregation of immaterial incidents for materiality analyses. We are streamlining the proposed disclosure elements related to risk management, strategy, and governance, and we are not adopting the proposed requirement to disclose board cybersecurity expertise. The following table summarizes the requirements we are adopting, including changes from the Proposing Release, as described more fully in Section II below:
|Item||Summary Description of the Disclosure Requirement|
|Regulation S-K Item 106(b) –|
Risk management and
|Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.|
|Regulation S-K Item 106(c) –|
– Describe the board’s oversight of risks from cybersecurity threats.
– Describe management’s role in assessing and anaging
material risks from cybersecurity threats.
|Form 8-K Item 1.05 –|
|Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:|
– Nature, scope, and timing; and
– Impact or reasonably likely impact.
An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.
|Form 6-K||FPIs must furnish on Form 6-K information on material|
cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
|Form 20-F||FPIs must:|
– Describe the board’s oversight of risks from cybersecurity
– Describe management’s role in assessing and managing
material risks from cybersecurity threats.
Overall, we remain persuaded that, as detailed in the Proposing Release: under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government, including those developments subsequent to the issuance of the Proposing Release such as CIRCIA and the Quantum Computing Cybersecurity Preparedness Act, while serving related purposes, will not effectuate the level of public cybersecurity disclosure needed by investors in public companies.
A. Disclosure of Cybersecurity Incidents on Current Reports
1. Proposed Amendments
The Commission proposed to amend Form 8-K by adding new Item 1.05 that would require a registrant to disclose the following information regarding a material cybersecurity incident, to the extent known at the time of filing:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data were stolen, altered, accessed, or used for any other unauthorized
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
The Commission clarified in the Proposing Release that this requirement would not extend to specific, technical information about the registrant’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
The Commission proposed to set the filing trigger for Item 1.05 as the date the registrant determines that a cybersecurity incident is material; as with all other Form 8-K items, the proposed filing deadline would be four business days after the trigger. To protect against any inclination on the part of a registrant to delay making a materiality determination with a view toward prolonging the filing deadline, the Commission proposed adding Instruction 1 to Item 1.05 requiring that “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”
The Commission affirmed in the Proposing Release that the materiality standard registrants should apply in evaluating whether a Form 8-K would be triggered under proposed Item 1.05 would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, and likewise with that set forth in 17 CFR 230.405 (“Securities Act Rule 405”) and 17 CFR 240.12b-2 (“Exchange Act Rule 12b-2”). That is, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” “Doubts as to the critical nature” of the relevant information should be “resolved in favor of those the statute is designed to protect,” namely investors.
The Commission explained that the timely disclosure of the information required by proposed Item 1.05 would enable investors and other market participants to assess the possible effects of a material cybersecurity incident on the registrant, including any short- and long-term financial effects or operational effects, resulting in information useful for their investment decisions. Aligning the deadline for Item 1.05 with that of the other Form 8-K items would, the Commission maintained, significantly improve the timeliness of cybersecurity incident disclosures as well as standardize those disclosures. The Commission did not propose to provide a reporting delay in cases of ongoing internal or external investigations of cybersecurity incidents. Nevertheless, the Proposing Release requested comment on whether to allow a delay in reporting where the Attorney General determines that a delay is in the interest of national security.
Proposed Item 1.05 received a significant amount of feedback from commenters. Some commenters supported Item 1.05 as proposed, saying that the current level of disclosure on cybersecurity incidents is inadequate to meet investor needs, and Item 1.05 would remedy this inadequacy by effectuating the disclosure of decision-useful information. One commenter also anticipated that Item 1.05 would reduce the risk of insider trading by shortening the time between discovery of an incident and public disclosure.
Other commenters opposed proposed Item 1.05, for several reasons. Some commenters said that if proposed Item 1.05 were to result in disclosure while an incident is still ongoing, it would tip off the threat actor and thus make successful neutralization of the incident more difficult. Commenters also expressed concern that public notice of a vulnerability could draw attacks from other threat actors who were previously unaware of the vulnerability; and such attacks could target the disclosing registrant or other companies with the same vulnerability, particularly if the vulnerability is with a third-party service provider used by multiple companies. Some of these commenters objected specifically to the requirement in Item 1.05 to disclose whether remediation has occurred, stating that this information could assist threat actors in their targeting or invite further targeted attacks, while others more generally stated that the Item 1.05 disclosure would be overly detailed, such that it would give a road map to threat actors for planning attacks. One commenter argued that the prospect of possibly having to file an Item 1.05 Form 8-K could chill threat information sharing within industries, because companies would fear that any cybersecurity risk information they share could later be used to question their disclosure decisions.
Some of the commenters that disagreed with the level of disclosure required by proposed Item 1.05 recommended that the Commission narrow the disclosure requirements of the rule.For example, one such commenter advised dropping the proposed requirement to disclose “when the incident was discovered,” arguing that this detail may cause confusion, particularly where an incident was detected some time ago but a significant aspect rendering it material surfaced only recently. Another commenter opined that “whether the registrant has remediated or is currently remediating the incident” is duplicative of “whether it is ongoing,” so either of the two could be eliminated. One commenter contended that a materiality filter should be added to the details required by Item 1.05, such that companies would have to disclose only details that themselves are material, rather than immaterial details of a material incident.
By contrast, there were also commenters that recommended expanding the disclosure requirements in the proposed rule. In this regard, some commenters recommended requiring that registrants disclose asset losses, intellectual property losses, and the value of business lost due to the incident. Other suggestions included requiring that incidents be quantified as to their severity and impact via standardized rating systems, and that registrants disclose how they became aware of the incident, as this may shed light on the effectiveness of a company’s cybersecurity policies and procedures. Additionally, commenters suggested banning trading by insiders during the time between the materiality determination and disclosure of the incident.
Commenters provided reactions to the application of Item 1.05 to incidents connected with third-party systems. A number of commenters contended that registrants should be exempt from having to disclose cybersecurity incidents in third-party systems they use because of their reduced control over such systems. Similarly, several commenters advocated for a safe harbor for information disclosed about third-party systems, given registrants’ reduced visibility into such systems. A few commenters suggested a longer reporting timeframe for third-party incidents, because the registrant may be dependent on the third party for information (which may not be provided in a timely manner), and to avoid harm to other companies reliant on the same third party. Commenters also recommended that Item 1.05 be phased in over a longer period of time with respect to third-party incidents, to give registrants time to develop information sharing processes with their third-party service providers.
Commenters also requested guidance or otherwise raised concerns where the proposed requirements might trigger disclosures by third-party service providers. A commenter requested clarity on whether an incident should be disclosed by the third-party service provider registrant that owns the affected system or the customer registrant that owns the affected information, or both. And two commenters argued that third-party service providers should simply pass along information to their end customers, who would then make their own materiality determination and disclose accordingly; this should particularly be the case, a commenter said, where an attack on a third-party data center results in a data breach for an end customer but does not affect the services the data center provides.
The proposed timing of incident disclosure also received a significant level of public comment. For example, a few commenters said the level of detail required by Item 1.05 is impractical to produce in the allotted time. Other commenters said that the proposed deadline would lead to the disclosure of tentative, unclear, or potentially inaccurate information that is not decision-useful to investors, resulting in the market mispricing the underlying securities. Commenters also argued that Item 1.05 is qualitatively different from all other Form 8-K items in that the trigger for Item 1.05 is largely outside the company’s control. Some commenters worried the proposed deadline would lead to disclosure of “false positives,” that is, incidents that appear material at first but later on with the emergence of more information turn out not to be material.
Commenters suggested a range of alternative reporting deadlines for Item 1.05. A common suggestion was to modify the measurement date from the determination of materiality to another point in the lifecycle of the incident when the incident is no longer a threat to the registrant—commenters variously termed this as “containment,” “remediation,” “mitigation,” and comparable terms. One commenter recommended conditioning a reporting delay on the registrant being actively engaged in containing the incident and reasonably believing that containment can be completed in a timely manner. Similarly, several commenters recommended that the rule allow for a delay in providing Item 1.05 disclosure based on a registrant’s assessment of the potential negative consequences of public disclosure, using a variety of measures they suggested. Another suggestion was to replace the proposed deadline with an instruction to disclose material incidents “without unreasonable delay.”
Some commenters recommended instead increasing the number of days between the reporting trigger and the reporting deadline. A few commenters recommended adding one business day to make the deadline five business days; one noted this would result in every registrant having at least a full calendar week to gather information and prepare the Form 8-K. Another commenter recommended a deadline of 15 business days, along with a cure period to allow registrants a defined period of time to fix potential reporting mistakes. A few commenters recommended a 30-day deadline, with their choice of 30 days tending to be a proxy for some other factor, such as containment or remediation, or state notification requirements.
Several commenters recommended addressing the timing concerns by replacing current reporting on Form 8-K with periodic reporting on Forms 10-Q and 10-K, to allow additional time to assess an incident’s impact before reporting to markets. In this vein, one commenter likened cybersecurity incident disclosure to the disclosure of legal proceedings under Regulation S-K Item 103.
A few commenters recommended instead that the materiality trigger be replaced with a quantifiable trigger; for example, an incident implicating a specified percentage of revenue, or the costs of an incident exceeding a specified benchmark, could trigger disclosure. Other commenters advocated for the disclosure trigger to be tied to any legal obligation that forces a registrant to notify persons outside the company.
Commenters also recommended a number of exceptions to the filing deadline. The most common recommendation was to include a provision allowing for delayed filing where there is an active law enforcement investigation or the disclosure otherwise implicates national security or public safety. A representative comment in this vein advanced a provision whereby registrants may “delay reporting of a cybersecurity incident that is the subject of a bona fide investigation by law enforcement,” because such “delay in reporting may not only facilitate such an investigation, it may be critical to its success.”
In calling for a law enforcement delay, associations for industries in critical sectors emphasized the national security implications of public cybersecurity incident disclosure. For example, one association explained that disclosure “may alert malicious actors that we have uncovered their illegal activities in circumstances where our defense and intelligence agencies wish to keep that information secret.” Likewise, another association pointed out that, in its industry, companies “are likely to possess some of the nation’s most critical confidential information, including cybersecurity threat information furnished by government entities, such as the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the National Security Agency (NSA),” and therefore, disclosure may not be possible.
Commenters largely advocated for “a broad law enforcement exception that applies not only in the interest of national security but also when law enforcement believes disclosure will hinder their efforts to identify or capture the threat actor.” Many commenters that responded to the Commission’s request for comment regarding a provision whereby the Attorney General determines that a delay is in the interest of national security indicated that such a provision should be more expansive and extend to other law enforcement authorities. One of these commenters questioned whether the Attorney General would opine on matters “that are under the ambit of other Federal agencies, such as the Department of Homeland Security, Department of State and the Department of Defense.” Another commenter pointed out that “the Department of Justice is not the primary, or even the lead, organization in the Federal government for cybersecurity response, rather the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is often the first call that companies make,” while “for defense contractors, the Department of Defense is likely to have the highest interest in the timing of an announcement.” For the financial industry specifically, one suggestion was to permit a delay if the Federal Reserve, Federal Deposit Insurance Corporation, or Office of the Comptroller of the Currency finds that disclosure would compromise the safety or soundness of the financial institution or of the financial system as a whole.
Some commenters specifically urged that state law enforcement be included within any delay provision, and one commenter appeared to contemplate inclusion of foreign law enforcement. A few commenters advocated for a confidential reporting system, whereby a registrant would initially file a nonpublic report with the Commission while a law enforcement investigation is ongoing, and then unseal the report upon the investigation’s completion.
A number of commenters provided feedback regarding proposed Instruction 1, which would have directed registrants to make their materiality determination regarding an incident “as soon as reasonably practicable after discovery of the incident.” Several commenters recommended removing the instruction altogether as, in their view, it would place unnecessary pressure on companies to make premature determinations before they have sufficient information. Other commenters stated that the instruction is too ambiguous for registrants to ascertain whether they have complied with it. Conversely, one commenter advised the Commission not to provide further guidance on the meaning of “as soon as reasonably practicable,” explaining that doing so would interfere with each registrant’s individual assessment of what is practicable given its specific context, resulting in pressure to move more quickly than may be appropriate. Another commenter likewise found that “as soon as reasonably practicable” is a “reasonable approach” that “provides public companies with the appropriate degree of flexibility to conduct a thorough assessment while ensuring that the markets get timely and relevant information.” One commenter recommended a safe harbor for actions and determinations made in good faith to satisfy Instruction 1 that later turn out to be mistaken.
In response to a request for comment in the Proposing Release, several commenters recommended registrants be permitted to furnish rather than file an Item 1.05 Form 8-K, so that filers of an Item 1.05 Form 8-K would not be subject to liability under Section 18 of the Exchange Act. A significant number of commenters also endorsed the proposal to amend 17 CFR 240.13a-11(c) (“Rule 13a-11(c)”) and 17 CFR 240.15d-11(c) (“Rule 15d-11(c)”) under the Exchange Act to include Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or 17 CFR 240.10b-5 (“Rule 10b-5”) under the Exchange Act. Likewise, the proposal to amend General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3 to provide that an untimely filing on Form 8-K regarding new Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility received much support.
Finally, a number of commenters averred that Item 1.05 would conflict with other Federal and state cybersecurity reporting or other regulatory regimes. For example, one commenter stated Item 1.05 would counteract the goals of CIRCIA by requiring public disclosure of information the act would keep confidential, and went on to assert that CIRCIA was intended as the primary means for reporting incidents to the Federal government. Also related to CIRCIA, a number of commenters urged harmonization of the Commission’s proposal with forthcoming regulations expected from CISA pursuant to CIRCIA. Several commenters alleged Item 1.05 would conflict with rules the Department of Health and Human Services (“HHS”) has adopted pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) regarding the reporting of private health information breaches. A few commenters likewise said Item 1.05 would conflict with the reporting regime set forth in Federal Communications Commission (“FCC”) regulations for breaches of customer proprietary network information. Conflicts were also alleged with regulations and programs of the Department of Defense (“DOD”), Department of Energy (“DOE”), and Department of Homeland Security (“DHS”). Commenters called for harmonization of Item 1.05 with regulations issued by Federal banking regulators, as well as with regulations of the Federal Trade Commission (“FTC”). Some commenters noted the potential interaction between the proposed rules and state laws. One commenter noted the McCarran-Ferguson Act, which provides that a state law preempts a federal statute if the state law was enacted for the purpose of regulating the business of insurance and the federal statute does not specifically relate to the business of insurance.
3. Final Amendments
Having considered the comments, we remain convinced that investors need timely, standardized disclosure regarding cybersecurity incidents materially affecting registrants’ businesses, and that the existing regulatory landscape is not yielding consistent and informative disclosure of cybersecurity incidents from registrants. However, we are revising the proposal in two important respects in response to concerns raised by commenters. First, we are narrowing the amount of information required to be disclosed, to better balance investors’ needs and registrants’ cybersecurity posture. And second, we are providing for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ findings.
As described above, commenters’ criticisms of Item 1.05 generally arose from two aspects of the proposal: (1) the scope of disclosure; and (2) the timing of disclosure. With respect to disclosure scope, we note in particular commenter concerns that the disclosure of certain details required by proposed Item 1.05 could exacerbate security threats, both for the registrants’ systems and for systems in the same industry or beyond, and could chill threat information sharing within industries. We agree that a balancing of concerns consistent with our statutory authority is necessary in crafting Item 1.05 to avoid empowering threat actors with actionable information that could harm a registrant and its investors. However, we are not persuaded, as some commenters suggested, that we should forgo requiring disclosure of the existence of an incident while it is ongoing to avoid risks, such as the risk of tipping off threat actors. Some companies already disclose material cybersecurity incidents while they are ongoing and before they are fully remediated, but the timing, form, and substance of those disclosures are inconsistent. Several commenters indicated both that investors look for information regarding registrants’ cybersecurity incidents and that current disclosure levels are inadequate to their needs in making investment decisions. In addition, we note below in Section IV evidence showing that delayed reporting of cybersecurity incidents can result in mispricing of securities, and that such mispricing can be exploited by threat actors, employees, related third parties, and others through trades made before an incident becomes public. Accordingly, we believe it is necessary to adopt a requirement for uniform current reporting of material cybersecurity incidents.
To that end, and to balance investors’ needs with the concerns raised by commenters, we are streamlining Item 1.05 to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself. The final rules will require the registrant to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” We believe this formulation more precisely focuses the disclosure on what the company determines is the material impact of the incident, which may vary from incident to incident. The rule’s inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. By way of illustration, harm to a company’s reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.
We are not adopting, as proposed, a requirement for disclosure regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised. While some incidents may still necessitate, for example, discussion of data theft, asset loss, intellectual property loss, reputational damage, or business value loss, registrants will make those determinations as part of their materiality analyses. Further, we are adding an Instruction 4 to Item 1.05 to provide that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” While the Commission provided this assurance in the Proposing Release, we agree with some commenters that codifying it in the Item 1.05 instructions should provide added clarity to registrants on the type of disclosure required by Item 1.05.
With respect to commenters’ questions concerning the application of Item 1.05 to incidents occurring on third-party systems, we are not exempting registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor are we providing a safe harbor for information disclosed about third-party systems. While we appreciate the commenters’ concerns about a registrant’s reduced control over such systems, we note the centrality of the materiality determination: whether an incident is material is not contingent on where the relevant electronic systems reside or who owns them. In other words, we do not believe a reasonable investor would view a significant breach of a registrant’s data as immaterial merely because the data were housed on a third-party system, especially as companies increasingly rely on third-party cloud services that may place their data out of their immediate control. Instead, as discussed above, materiality turns on how a reasonable investor would consider the incident’s impact on the registrant.
Depending on the circumstances of an incident that occurs on a third-party system, disclosure may be required by both the service provider and the customer, or by one but not the other, or by neither. We appreciate that companies may have reduced visibility into third-party systems; registrants should disclose based on the information available to them. The final rules generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants’ disclosure controls and procedures. This is consistent with the Commission’s general rules regarding the disclosure of information that is difficult to obtain.
Turning to disclosure timing, we believe that the modifications from the proposed rules regarding the disclosures called for by Item 1.05 alleviate many of the concerns some commenters had regarding the proposed disclosure deadline of four business days from the materiality determination. Because the streamlined disclosure requirements we are adopting are focused on an incident’s basic identifying details and its material impact or reasonably likely material impact, the registrant should have the information required to be disclosed under this rule as part of conducting the materiality determination. For example, most organizations’ materiality analyses will include consideration of the financial impact of a cybersecurity incident, so information regarding the incident’s impact on the registrant’s financial condition and results of operations will likely have already been developed when Item 1.05 is triggered. Thus, we believe that the four business day timeframe from the date of a materiality determination will be workable.
The reformulation of Item 1.05 also addresses the concern among commenters that the disclosure may be tentative and unclear, resulting in false positives and mispricing in the market. In the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered. The registrant will develop information after discovery until it is sufficient to facilitate a materiality analysis. At that point, we believe investors are best served knowing, within four business days after the materiality determination, that the incident occurred and what led management to conclude the incident is material. While it is possible that occasionally there may be incidents that initially appear material but developments after the filing of the Item 1.05 Form 8-K reveal to be not material, the alternative of delaying disclosure beyond the four business day period after a materiality determination has the potential to lead to far more mispricing and will negatively impact investors making investment and voting decisions without the benefit of knowing that there is a material cybersecurity incident.
Commenters posited an array of alternative deadlines for the Item 1.05 Form 8-K, as recounted above. We are not persuaded by commenters’ arguments that disclosure should be delayed until companies mitigate, contain, remediate, or otherwise diminish the harm of the incident, because, as discussed above, Item 1.05 does not require disclosure of the types of details that have the potential to be exploited by threat actors, but rather focuses on the incident’s material impact or reasonably likely material impact on the registrant. While there may be, as commenters noted, some residual risk of the disclosure of an incident’s existence tipping off threat actors, such risk is justified, in our view, by investors’ need for timely information, and similar risk already exists today with some companies’ current cybersecurity incident disclosure practices. We are also not persuaded that Item 1.05 is sufficiently different from other Form 8-K items such that deviating from the form’s four business day deadline following the relevant trigger would be indicated. While some commenters argued that Item 1.05 is qualitatively different from all other Form 8-K filings in that its trigger is largely outside the company’s control, we disagree because other Form 8-K items may also be triggered unexpectedly, such as Item 4.01 (Changes in Registrant’s Certifying Accountants) and Item 5.02 (Departure of Directors or Principal Officers). And as compared to those items, the information needed for Item 1.05 may be further along in development when the filing is triggered, whereas, for example, a company may have no advance warning that a principal officer is departing.
With respect to the five business day deadline suggested by a few commenters to allow registrants a full calendar week from the materiality determination to the disclosure, we note that in the majority of cases registrants will have had additional time leading up to the materiality determination, such that disclosure becoming due less than a week after discovery should be uncommon. More generally with respect to the various alternative timing suggestions, we observe that the Commission adopted the uniform four business day deadline in 2004 to simplify the previous bifurcated deadlines, and we find commenters have not offered any compelling rationale to return to bifurcated deadlines. Form 8-K provides for current reporting of events that tend to be material to investor decision-making, and we see no reason to render the reporting of Item 1.05 less current than other Form 8-K items.
In the Proposing Release, the Commission requested comment on whether to allow registrants to delay filing an Item 1.05 Form 8-K where the Attorney General determines that a delay is in the interest of national security. In response to comments, we are adopting a delay provision in cases where disclosure poses a substantial risk to national security or public safety. Pursuant to Item 1.05(c), a registrant may delay making an Item 1.05 Form 8-K filing if the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing. Initially, disclosure may be delayed for a time period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided. The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. We are providing for the final additional delay period in recognition that, in extraordinary circumstances, national security concerns may justify additional delay beyond that warranted by public safety concerns, due to the relatively more critical nature of national security concerns. Beyond the final 60-day delay, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.
We have consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the Commission in a timely manner. The Department of Justice will notify the affected registrant that communication to the Commission has been made, so that the registrant may delay filing its Form 8-K.
We agree with commenters that a delay is appropriate for the limited instances in which public disclosure of a cybersecurity incident may cause harm to national security or public safety. The final rules appropriately balance such security concerns against investors’ informational needs. In particular, the provision’s “substantial risk to national security or public safety” bases are sufficiently expansive to ensure that significant risks of harm from disclosure may be protected against, while also ensuring that investors are not denied timely access to material information. With respect to commenters who recommended that other Federal agencies and non-Federal law enforcement agencies also be permitted to trigger a delay or who argued that other agencies may be the primary organization in the Federal government for the response, we note that the rule does not preclude any such agency from requesting that the Attorney General determine that the disclosure poses a substantial risk to national security or public safety and communicate that determination to the Commission. However, we believe that designating a single law enforcement agency as the Commission’s point of contact on such delays is critical to ensuring that the rule is administrable.
Turning to other timing-related issues raised by commenters, we are not adopting commenters’ suggestion to replace Item 1.05 with periodic reporting of material cybersecurity incidents on Forms 10-Q and 10-K because such an approach may result in significant variance as to when investors learn of material cybersecurity incidents. Based on when an incident occurs during a company’s reporting cycle, the timing between the materiality determination and reporting on the next Form 10-Q or Form 10-K could vary from a matter of months to a matter of weeks or less. For example, if two companies experience a similar cybersecurity incident, but one determines the incident is material early during a quarterly period and the other makes such determination at the end of the quarterly period, commenters’ suggested approach would have both companies report the incident around the same time despite the first company having determined the incident was material weeks or months sooner, which would result in a significant delay in this information being provided to investors. Such variance would therefore reduce comparability across registrants and may put certain registrants at a competitive disadvantage.
We also decline to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold. We note above that the material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant may not be readily quantifiable and therefore may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material. Similarly, whereas a cybersecurity incident that results in the theft of information may not be deemed material based on quantitative financial measures alone, it may in fact be material given the impact to the registrant that results from the scope or nature of harm to individuals, customers, or others, and therefore may need to be disclosed.
In another change from the proposal, and to respond to commenters’ concerns that the proposed “as soon as reasonably practicable” language in Instruction 1 could pressure companies to draw conclusions about incidents with insufficient information, we are revising the instruction to state that companies must make their materiality determinations “without unreasonable delay.” As explained in the Proposing Release, the instruction was intended to address any concern that some registrants may delay making such a determination to avoid a disclosure obligation. We understand commenter concerns that the proposed instruction could result in undue pressure to make a materiality determination before a registrant has sufficient information to do so, and we recognize that a materiality determination necessitates an informed and deliberative process. We believe the revised language should alleviate this unintended consequence, while providing registrants notice that, though the determination need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure. For example, for incidents that impact key systems and information, such as those the company considers its “crown jewels,” as well as incidents involving unauthorized access to or exfiltration of large quantities of particularly important data, a company may not have complete information about the incident but may know enough about the incident to determine whether the incident was material. In other words, a company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality. Similarly, if the materiality determination is to be made by a board committee, intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute unreasonable delay. As another example, if a company were to revise existing incident response policies and procedures in order to support a delayed materiality determination for or delayed disclosure of an ongoing cybersecurity event, such as by extending the incident severity assessment deadlines, changing the criteria that would require reporting an incident to management or committees with responsibility for public disclosures, or introducing other steps to delay the determination or disclosure, that would constitute unreasonable delay. In light of the revision to Instruction 1, we find that a safe harbor, as suggested by some commenters, is unnecessary; adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance. Importantly, we remind registrants, as the Commission did in the Proposing Release, that “doubts as to the critical nature” of the relevant information “will be common place” and should “be resolved in favor of those the statute is designed to protect,” namely investors.
Revised Instruction 1 should also reassure registrants that they should continue sharing information with other companies or government actors about emerging threats. Such information sharing may not necessarily result in an Item 1.05 disclosure obligation. The obligation to file the Item 1.05 disclosure is triggered once a company has developed information regarding an incident sufficient to make a materiality determination, and a decision to share information with other companies or government actors does not in itself necessarily constitute a determination of materiality. A registrant may alert similarly situated companies as well as government actors immediately after discovering an incident and before determining materiality, so long as it does not unreasonably delay its internal processes for determining materiality.
As proposed, we are adding Item 1.05 to the list of Form 8-K items in General Instruction I.A.3.(b) of Form S-3 , so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. We note the significant support from commenters regarding this proposal, and as noted in the Proposing Release, continue to believe that the consequences of the loss of Form S-3 eligibility would be unduly severe given the circumstances that will surround Item 1.05 disclosures. Likewise, as supported by many commenters, we are adopting as proposed amendments to Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. This accords with the view the Commission articulated in 2004 that the safe harbor is appropriate if the triggering event for the Form 8-K requires management to make a rapid materiality determination.
We decline to permit registrants to furnish rather than file the Item 1.05 Form 8-K, as suggested by some commenters. While we understand commenters’ points that reducing liability may ease the burden on registrants, we believe that treating Item 1.05 disclosures as filed will help promote the accuracy and reliability of such disclosures for the benefit of investors. Of the existing Form 8-K items, only Items 2.02 (Results of Operations and Financial Condition) and 7.01 (Regulation FD Disclosure) are permitted to be furnished rather than filed. The Commission created exceptions for those two items to allay concerns that do not pertain here. Specifically, with respect to Item 2.02, the Commission was motivated by concerns that requiring the information to be filed would discourage registrants from proactively issuing earnings releases and similar disclosures. Similarly, with respect to Item 7.01, the Commission decided to allow the disclosure to be furnished to address concerns that, if required to be filed, the disclosure could be construed as an admission of materiality, which might lead some registrants to avoid making proactive disclosure. By contrast, Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the registrant determines the materiality of an incident. It is thus more akin to the Form 8-K items other than Items 2.02 and 7.01, in that it is a description of a material event that has occurred about which investors need adequate information. Therefore, the final rules require an Item 1.05 Form 8-K to be filed.
We are not including a new rule to ban trading by insiders during the materiality determination time period, as suggested by some commenters. Those with a fiduciary duty or other relationship of trust and confidence are already prohibited from trading while in possession of material, nonpublic information. And because we are adopting the four business day from materiality determination deadline, we agree with the point raised by some commenters that the risk of insider trading is low given the limited time period between experiencing a material incident and public disclosure. We also note that we recently adopted amendments to 17 CFR 240.10b5-1 (“Rule 10b5-1”) that added a certification condition for directors and officers wishing to avail themselves of the rule’s affirmative defense; specifically, if relying on the amended affirmative defense, directors and officers need to certify in writing, at the time they adopt the trading plan, that they are unaware of material nonpublic information about the issuer or its securities, and are adopting the plan in good faith and not as part of a plan or scheme to evade the insider trading prohibitions. Therefore, given the timing of the incident disclosure requirement as well as the recently adopted amendments to Rule 10b5-1, we do not find need for a new rule banning trading by insiders during the time period between the materiality determination and disclosure.
A number of commenters raised concerns about conflicts with other Federal laws and regulations. Of the Federal laws and regulations that we reviewed and commenters raised concerns with, we have identified one conflict, with the FCC’s notification rule for breaches of customer proprietary network information (“CPNI”). Of the remaining Federal laws and regulations noted by commenters as presenting conflicts, our view is that Item 1.05 neither directly conflicts with nor impedes the purposes of other such laws and regulations.
The FCC’s rule for notification in the event of breaches of CPNI requires covered entities to notify the United States Secret Service (“USSS”) and the Federal Bureau of Investigation (“FBI”) no later than seven business days after reasonable determination of a CPNI breach, and further directs the entities to refrain from notifying customers or disclosing the breach publicly until seven business days have passed following the notification to the USSS and FBI. To accommodate registrants who are subject to this rule and may as a result face conflicting disclosure timelines, we are adding paragraph (d) to Item 1.05 providing that such registrants may delay making a Form 8-K disclosure up to the seven business day period following notification to the USSS and FBI specified in the FCC rule, with written notification to the Commission.
We also considered the conflicts commenters alleged with CIRCIA. Specifically, they stated that Item 1.05 is at odds with the goals of CIRCIA, and that it may conflict with forthcoming regulations from CISA. The confidential reporting system established by CIRCIA serves a different purpose from Item 1.05 and through different means; the former focuses on facilitating the Federal government’s preparation for and rapid response to cybersecurity threats, while the latter focuses on providing material information about public companies to investors in a timely manner. While CISA has yet to propose regulations to implement CIRCIA, given the statutory authority, text, and legislative history of CIRCIA, it appears unlikely the regulations would affect the balance of material information available to investors about public companies, because the reporting regime CIRCIA establishes is confidential. Nonetheless, the Commission participates in interagency working groups on cybersecurity regulatory implementation, and will continue to monitor developments in this area to determine if modification to Item 1.05 becomes appropriate in light of future developments.
We also considered the HIPAA-related conflict alleged by commenters, specifically with respect to HHS’s rule on Notification in the Case of Breach of Unsecured Protected Health Information. That rule provides, in the event of a breach of unsecured protected health information, for the covered entity to provide notification to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” If the breach involves more than 500 residents of a state or jurisdiction, the rule directs the covered entity to also notify prominent media outlets within the same timeframe. The rule further provides that if a company receives written notice from “a law enforcement official” requesting a delay and specifying the length of the delay, then the company “shall … delay such notification, notice, or posting for the time period specified by the official.”
We do not view Form 8-K Item 1.05 as implicated by the HHS rule. Importantly, the HHS rule’s delay provision applies specifically to any “notification, notice, or posting required under this subpart,” or in other words notice to affected individuals, media, and the Secretary of HHS. Such notification focuses on the consequences of the breach for the affected individuals; for example, individuals must be told what types of protected health information were accessed, and what steps they should take to protect themselves from harm. This is different from the disclosure required by Item 1.05, which focuses on the consequences for the company that are material to investors, and whose timing is tied not to discovery but to a materiality determination. The HHS rule does not expressly preclude the latter type of public disclosure, or other potential communications companies experiencing a breach may make. Therefore, we believe that a registrant subject to the HHS rule will not face a conflict in complying with Item 1.05.
We also considered the conflicts commenters alleged with regulations and programs of DOD, DOE, DHS, the Federal banking regulatory agencies, state insurance laws, and miscellaneous other Federal agencies or laws. We find that, while there may be some overlap of subject matter, Item 1.05 neither conflicts with nor impedes the purpose of those regulations and programs. We disagree with one commenter’s assertion that cybersecurity incident disclosure “falls squarely within the jurisdiction of state insurance commissioners” as state cybersecurity incident reporting regulations would not pertain to the “business of insurance” as courts have interpreted the McCarran-Ferguson Act, and the commenter did not note any particular state insurance laws that would present a conflict. With respect to Federal banking regulatory agencies specifically, we note that, in the event they believe that the disclosure of a material cybersecurity incident would threaten the health of the financial system in such a way that results in a substantial risk to national security or public safety, they may, as explained above, work with the Department of Justice to seek to delay disclosure.
It would not be practical to further harmonize Item 1.05 with other agencies’ cybersecurity incident reporting regulations, as one commenter suggested, because Item 1.05 serves a different purpose—it is focused on the needs of investors, rather than the needs of regulatory agencies, affected individuals, or the like. With respect to state insurance and privacy laws, commenters did not provide any evidence sufficient to alter the Commission’s finding in the Proposing Release that, to the extent that Item 1.05 would require disclosure in a situation where state law would excuse or delay notification, we consider prompt reporting of material cybersecurity incidents to investors critical to investor protection and well-functioning, orderly, and efficient markets.
B. Disclosures about Cybersecurity Incidents in Periodic Reports
1. Proposed Amendments
The Commission proposed to add new Item 106 to Regulation S-K to, among other things, require updated cybersecurity disclosure in periodic reports. If a registrant previously provided disclosure regarding one or more cybersecurity incidents pursuant to Item 1.05 of Form 8-K, proposed 17 CFR 229.106(d)(1) (Regulation S-K “Item 106(d)(1)”) would require such registrant to disclose “any material changes, additions, or updates” on the registrant’s quarterly report on Form 10-Q or annual report on Form 10-K. In addition, proposed Item 106(d)(1) would require disclosure of the following information:
- Any material effect of the incident on the registrant’s operations and financial condition;
- Any potential material future impacts on the registrant’s operations and financial condition;
- Whether the registrant has remediated or is currently remediating the incident; and
- Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
The Commission explained that it paired current reporting under Item 1.05 of Form 8-K with periodic reporting under 17 CFR 229.106(d) (Regulation S-K “Item 106(d)”) to balance investors’ need for timely disclosure with their need for complete disclosure. When an Item 1.05 Form 8-K becomes due, the Commission noted, a registrant may not possess complete information about the material cybersecurity incident. Accordingly, under the proposed rules, a registrant would provide the information known at the time of the Form 8-K filing and follow up in its periodic reports with more complete information as it becomes available, along with any updates to previously disclosed information.
The Commission also proposed 17 CFR 229.106(d)(2) (Regulation S-K “Item 106(d)(2)”) to require disclosure in a registrant’s next periodic report when, to the extent known to management, a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. The Proposing Release explained that this requirement may be triggered where, for example, a threat actor engages in a number of smaller but continuous related cyberattacks against the same company and collectively they become material. Item 106(d)(2) would require disclosure of essentially the same information required in proposed Item 1.05 of Form 8-K, as follows:
- A general description of when the incidents were discovered and whether they are ongoing;
- A brief description of the nature and scope of the incidents;
- Whether any data were stolen or altered in connection with the incidents;
- The effect of the incidents on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incidents.
Reaction among commenters to proposed Item 106(d)(1) was mixed. Some wrote in support, noting that updated incident disclosure is needed to avoid previously disclosed information becoming stale and misleading as more information becomes available, and saying that updates help investors assess the efficacy of companies’ cybersecurity procedures. Others took issue with specific aspects of the proposed rule. For example, some commenters stated that the proposed requirement to disclose “any potential material future impacts” is vague and difficult to apply, and urged removing or revising it. Similarly, other commenters said that registrants should not be required to describe progress on remediation, noting that such information could open them up to more attacks. In the same vein, one commenter suggested that no updates be required until remediation is sufficiently complete. One commenter said the requirement to disclose changes in policies and procedures is unnecessary and overly broad, and another commenter said the requirement should be narrowed to “material changes.”
More generally, commenters sought clarification on how to differentiate instances where updates should be included in periodic reports from instances where updates should be filed on Form 8-K; they found the guidance in the Proposing Release on this point “unclear.” And one commenter argued that, regardless of where the update is filed, the incremental availability of information would make it difficult for companies to determine when the update requirement is triggered.
With respect to proposed Item 106(d)(2), a large number of commenters expressed concern about the aggregation requirement, saying, for example, that companies experience too many events to realistically communicate internally upward to senior management, and that retaining and analyzing data on past events would be too costly. A number of other commenters relatedly said that, for the aggregation requirement to be workable, companies need more guidance on the nature, timeframe, and breadth of incidents that should be collated. In this regard, one supporter of the requirement explained in its request for additional guidance that “cybersecurity incidents are so unfortunately common that a strict reading of this section could cause overreporting to the point that it is meaningless for shareholders.”
Some commenters suggested revising the rule to cover only “related” incidents. Possible definitions offered for “related” incidents included those “performed by the same malicious actor or that exploited the same vulnerability,” and those resulting from “attacks on the same systems, processes or controls of a registrant over a specified period of time.”
Suggestions for limiting the time period over which aggregation should occur included the preceding one year, and the preceding two years. One commenter requested the Commission clarify that a company’s Item 106(d)(2) disclosure need describe only the aggregate material impact of the incidents, rather than describing each incident individually; the commenter was concerned with threat actors becoming informed of a company’s vulnerabilities through overly detailed disclosure. Another commenter suggested granting registrants additional time to come into compliance with Item 106(d)(2) after Commission adoption, so that they can develop system functionality to retain details about immaterial incidents.
Commenters also wrote in support of the aggregation requirement. One of these commenters stated that aggregation is needed especially where an advanced persistent threat actor seeks to exfiltrate data or intellectual property over time.
3. Final Ammendments
In response to comments, we are not adopting proposed Item 106(d)(1) and instead are adopting a new instruction to clarify that updated incident disclosure must be provided in a Form 8-K amendment. Specifically, we are revising proposed Instruction 2 to Item 1.05 of Form 8-K to direct the registrant to include in its Item 1.05 Form 8-K a statement identifying any information called for in Item 1.05(a) that is not determined or is unavailable at the time of the required filing and then file an amendment to its Form 8-K containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available. This change mitigates commenters’ concerns with Item 106(d)(1). In particular, under the final rules, companies will not have to distinguish whether information regarding a material cybersecurity incident that was not determined or was unavailable at the time of the initial Form 8-K filing should be included on current reports or periodic reports, as the reporting would be in an amended Form 8-K; details that commenters suggested raised security concerns, such as remediation status, are not required; and concerns that the proposed rule was vague or overbroad have been addressed by narrowing the required disclosure to the information required by Item 1.05(a). We also believe that use of a Form 8-K amendment rather than a periodic report will allow investors to more quickly identify updates regarding incidents that previously were disclosed.
We appreciate that new information on a reported cybersecurity incident may surface only in pieces; the final rules, however, do not require updated reporting for all new information. Rather, Instruction 2 to Item 1.05 directs companies to file an amended Form 8-K with respect to any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. Other than with respect to such previously undetermined or unavailable information, the final rules do not separately create or otherwise affect a registrant’s duty to update its prior statements. We remind registrants, however, that they may have a duty to correct prior disclosure that the registrant determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made (for example, if the registrant subsequently discovers contradictory information that existed at the time of the initial disclosure), or a duty to update disclosure that becomes materially inaccurate after it is made (for example, when the original statement is still being relied on by reasonable investors). Registrants should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident.
We are not adopting proposed Item 106(d)(2), in response to concerns that the proposed aggregation requirement was vague or difficult to apply. We are persuaded by commenters that the proposed requirement might be difficult to differentiate from Item 1.05 disclosure, or by contrast, could result in the need for extensive internal controls and procedures to monitor all immaterial events to determine whether they have become collectively material. The intent of the proposed requirement was to capture the material impacts of related incidents, and prevent the avoidance of incident disclosure through disaggregation of such related events. However, upon further reflection, and after review of comments, we believe that the proposed requirement is not necessary based on the scope of Item 1.05.
To that end, we emphasize that the term “cybersecurity incident” as used in the final rules is to be construed broadly, as the Commission stated in the Proposing Release. The definition of “cybersecurity incident” we are adopting extends to “a series of related unauthorized occurrences.” This reflects that cyberattacks sometimes compound over time, rather than present as a discrete event. Accordingly, when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.
C. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks
Risk Management and Strategy
- Proposed Amendments
The Commission proposed to add 17 CFR 229.106(b) (Regulation S-K “Item 106(b)”) to require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy in their annual reports. The Commission noted the Division of Corporation Finance staff’s experience that most registrants disclosing a cybersecurity incident do not describe their cybersecurity risk oversight or any related policies and procedures, even though companies typically address significant risks by developing risk management systems that often include written policies and procedures.
Proposed Item 106(b) would require a description of the registrant’s policies and procedures, if any, for the identification and management of cybersecurity threats, including, but not limited to: operational risk (i.e., disruption of business operations); intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. As proposed, registrants would be required to include a discussion, as applicable, of:
- Whether the registrant has a cybersecurity risk assessment program and if so, a description of the program ((b)(1));
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program ((b)(2));
- Whether the registrant has policies and procedures to oversee, identify, and mitigate the cybersecurity risks associated with its use of any third- party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers ((b)(3));
- Whether the registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents ((b)(4));
- Whether the registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident ((b)(5));
- Whether previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies ((b)(6));
- Whether cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how ((b)(7)); and
- Whether cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how ((b)(8)).
The Commission anticipated that proposed Item 106(b) would benefit investors by requiring more consistent disclosure of registrants’ strategies and actions to manage cybersecurity risks. Such risks, the Commission observed, can affect registrants’ business strategy, financial outlook, and financial planning, as companies increasingly rely on information technology, collection of data, and use of digital payments as critical components of their businesses.
The Commission noted that the significant number of cybersecurity incidents pertaining to third-party service providers prompted the proposal to require disclosure of registrants’ selection and oversight of third-party entities. The Commission also proposed requiring discussion of how prior cybersecurity incidents have affected or are reasonably likely to affect the registrant, because such disclosure would equip investors to better comprehend the level of cybersecurity risk the company faces and assess the company’s preparedness regarding such risk.
Many commenters supported proposed Item 106(b) for requiring information that is vital to investors as they assess companies’ risk profiles and make investment decisions. One said cybersecurity disclosures now are “scattered and unpredictable” rather than “uniform,” which “diminishes their effectiveness.” Similarly, another found that current disclosures “do not provide investors with the information necessary to evaluate whether companies have adequate governance structures and measures in place to deal with cybersecurity challenges.” The IAC recommended extending the proposed Item 106(b) disclosure requirements (as well as the proposed Item 106(c) disclosure requirements) to registration statements, stating that “pre-IPO companies may face heightened [cybersecurity] risks.”
By contrast, a number of commenters opposed proposed Item 106(b). In particular, they commented that much of the proposed Item 106(b) disclosure could increase a company’s vulnerability to cyberattacks; they expressed particular concern regarding the potential harms from disclosures about whether cybersecurity policies are in place, incident response processes and techniques, previous incidents and what changes they spurred, and third-party service providers. Another criticism was that proposed Item 106(b) would effectively force companies to model their cybersecurity policies on the rule’s disclosure elements, rather than the practices best suited to each company’s context. One commenter saw proposed Item 106(b) as counteracting the streamlining accomplished in the Commission’s 2020 release modernizing Regulation S-K.
Some commenters offered suggestions to narrow proposed Item 106(b) to address their concerns. On proposed paragraph (b)(1), one commenter recommended allowing a registrant to forgo describing its risk assessment program if it confirms that it “uses best practices and standards” to identify and protect against cybersecurity risks and detect and respond to such events. On proposed paragraph (b)(3), a few commenters said that registrants should be required to disclose only high-level information relating to third parties, such as confirmation that policies and procedures are appropriately applied to third-party selection and oversight, and should not have to identify the third parties or discuss the underlying mechanisms, controls, and contractual requirements.
Some commenters opposed proposed paragraph (b)(6)’s requirement to discuss whether “previous cybersecurity incidents informed changes in the registrant’s governance, policies and procedures, or technologies” entirely, stating it would undermine a registrant’s cybersecurity. One commenter recommended the proposed (b)(6) disclosure be required only at a high level, without specific details, while two commenters appeared to propose only requiring disclosure as it pertains to previous material incidents. Commenters suggested a materiality filter for proposed paragraph (b)(7)’s requirement to discuss whether “cybersecurity-related risks and previous cybersecurity-related incidents have affected or are reasonably likely to affect the registrant’s strategy, business model, results of operations, or financial condition and if so, how,” so that the requirement would apply only where a registrant has been materially affected or is reasonably likely to be materially affected.
More broadly, one commenter recommended replacing the rule’s references to “policies and procedures” with “strategy and programs,” because in the commenter’s experience companies may not codify their cybersecurity strategy in the same way they codify other compliance policies and procedures. One commenter also suggested offering companies the choice to place the proposed Item 106(b) disclosures in either the Form 10-K or the proxy statement.
Several commenters supported requiring registrants that lack cybersecurity policies and procedures to explicitly say so, commenting, for example, that “investors should not be left to intuit the meaning of a company’s silence in its disclosures.” One commenter further stated that registrants should be required to explain why they have not adopted cybersecurity policies and procedures. By contrast, two commenters opposed requiring registrants that lack cybersecurity policies and procedures to explicitly say so, with one commenter saying that “a threat actor may target registrants they perceive to have unsophisticated cybersecurity programs,” and the other commenter saying “it is highly unlikely that any SEC registrants would not have ‘established any cybersecurity policies and procedures.”
In response to the Commission’s request for comment about whether to require a registrant to specify whether any cybersecurity assessor, consultant, auditor, or other service provider that it relies on is through an internal function or through an external third-party service provider, several commenters opposed the idea as not useful, with one saying that “a significant majority—possibly the entirety—of SEC registrants” rely on third-party service providers for some portion of their cybersecurity. Conversely, another commenter supported the third-party specification, and suggested requiring registrants to name the third parties, as over time, this would create more transparency in whether breaches correlate with specific third parties.
Commenters also offered a range of recommended additions to the rule. One commenter recommended modifying proposed paragraph (b)(1) to require registrants to specify whether their cybersecurity programs assess risks continuously or periodically, arguing the latter approach leaves companies more exposed. The same commenter suggested paragraph (b)(2) require “a description of the class of services and solutions” provided by third parties.
A few commenters recommended that we direct registrants to quantify their cybersecurity risk exposure through independent risk assessments. Similarly, one commenter urged us to require registrants to explain how they quantify their cybersecurity risk, while another said we should set out quantifiable metrics against which companies measure their cybersecurity systems, though it did not specify what these metrics should be. Two commenters suggested that we require companies to disclose whether their cybersecurity programs have been audited by a third party. And one commenter recommended that we require registrants to disclose whether they use the cybersecurity framework of the National Institute of Standards and Technology (“NIST”), to ease comparison of registrant risk profiles.
- Final Amendments
We continue to believe that investors need information on registrants’ cybersecurity risk management and strategy, and that uniform, comparable, easy to locate disclosure will not emerge absent new rules. Commenters raised concerns with proposed Item 106(b)’s security implications and what they saw as its prescriptiveness. We agree that extensive public disclosure on how a company plans for, defends against, and responds to cyberattacks has the potential to advantage threat actors. Similarly, we acknowledge commenters’ concerns that the final rule could unintentionally affect a registrant’s risk management and strategy decision-making. In response to those comments, we confirm that the purpose of the rules is, and was at proposal, to inform investors, not to influence whether and how companies manage their cybersecurity risk.Additionally, to respond to commenters’ concerns about security, the final rules eliminate or narrow certain elements from proposed Item 106(b). We believe the resulting rule requires disclosure of information material to the investment decisions of investors, in a way that is comparable and easy to locate, while steering clear of security sensitive details.
As adopted, 17 CFR 229.106(b)(1) (Regulation S-K “Item 106(b)(1)”) requires a description of “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” We believe this revised formulation of the rule should help avoid levels of detail that may go beyond information that is material to investors and address commenters’ concerns that those details could increase a company’s vulnerability to cyberattack. We have also substituted the term “processes” for the proposed “policies and procedures” to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors, and because the term “processes” more fully compasses registrants’ cybersecurity practices than “policies and procedures,” which suggest formal codification. We still expect the disclosure to allow investors to ascertain a registrant’s cybersecurity practices, such as whether they have a risk assessment program in place, with sufficient detail for investors to understand the registrant’s cybersecurity risk profile. The shift to “processes” also obviates the question of whether to require companies that do not have written policies and procedures to disclose that fact. We believe that, to the extent a company discloses that it faces a material cybersecurity risk in connection with its overall disclosures of material risks, an investor can ascertain whether such risks have resulted in the adoption of processes to assess, identify, and manage material cybersecurity risks based on whether the company also makes such disclosures under the final rules.
We have also added a materiality qualifier to the proposed requirement to disclose “risks from cybersecurity threats,” and have removed the proposed list of risk types (i.e., “intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk”), to foreclose any perception that the rule prescribes cybersecurity policy. We continue to believe these are the types of risks that registrants may face in this context, and enumerate them here as guidance. We note that registrants will continue to tailor their cybersecurity processes to threats as they perceive them. The rule requires registrants to describe those processes insofar as they relate to material cybersecurity risks.
We have also revised Item 106(b)’s enumerated disclosure elements in response to commenters that raised concerns regarding the level of detail required by some elements of the proposal. Specifically, we are not adopting proposed paragraphs (4) (prevention and detection activities), (5) (continuity and recovery plans), and (6) (previous incidents). We have similarly revised proposed paragraph (3) to eliminate some of the detail it required, consistent with commenter suggestions to require only high-level disclosure regarding third-party service providers. The enumerated elements that a registrant should address in its Item 106(b) disclosure, as applicable, are:
- Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
We have also revised the rule text to clarify that the above elements compose a non- xclusive list of disclosures; registrants should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.
We have moved proposed paragraph (7) into a separate paragraph, at 17 CFR 229.106(b)(2) (Regulation S-K “Item 106(b)(2)”), instead of including it in the enumerated list in Item 106(b)(1), and have added a materiality qualifier in response to a comment. Item 106(b)(2) requires a description of “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”
The final rules will require disclosure of whether a registrant engages assessors, consultants, auditors, or other third parties in connection with their cybersecurity because we believe it is important for investors to know a registrant’s level of in-house versus outsourced cybersecurity capacity. We understand that many registrants rely on third-party service providers for some portion of their cybersecurity, and we believe this information is accordingly necessary for investors to assess a company’s cybersecurity risk profile in making investment decisions. However, we are not persuaded, as one commenter contended, that registrants should be required to name the third parties (though they may choose to do so), because we believe this may magnify concerns about increasing a company’s cybersecurity vulnerabilities. For the same reason, we decline the commenter suggestion to require a description of the services provided by third parties.
We are also not persuaded that risk quantification or other quantifiable metrics are appropriate as mandatory elements of a cybersecurity disclosure framework. While such metrics may be used by registrants and investors in the future, commenters did not identify any such metrics that would be appropriate to mandate at this time. Additionally, to the extent that a registrant uses any quantitative metrics in assessing or managing cybersecurity risks, it may disclose such information voluntarily. For similar reasons, we decline commenters’ recommendations to require disclosure of independent assessments and audits, as well as commenters’ recommendations on disclosure of use of the NIST framework, and on distinguishing between continuous and periodic risk assessment.
We decline the commenter suggestion to allow Item 106(b) disclosure to be provided in the proxy statement, as the proxy statement is generally confined to information pertaining to the election of directors. We are also not requiring Item 106 disclosures in registration statements as recommended by the IAC, consistent with our efforts to reduce the burdens associated with the final rule. However, as discussed further below, we reiterate the Commission’s guidance from the 2018 Interpretive Release that “[c]ompanies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements.”Finally, we note that registrants may satisfy the Item 106 disclosure requirements through incorporation by reference pursuant to 17 CFR 240.12b-23 (“Rule 12b-23”).
a. Proposed Amendments
The Commission proposed to add 17 CFR 229.106(c) (Regulation S-K “Item 106(c)”) to require a description of management and the board’s oversight of a registrant’s cybersecurity risk. This information would complement the proposed risk management and strategy disclosure by clarifying for investors how a registrant’s leadership oversees and implements its cybersecurity processes. Proposed 17 CFR 229.106(c)(1) (Regulation S-K “Item 106(c)(1)”) would focus on the board’s role, requiring discussion, as applicable, of:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
Proposed 17 CFR 229.106(c)(2) (Regulation S-K “Item 106(c)(2)”) meanwhile would require a description of management’s role in assessing and managing cybersecurity-related risks, as well as its role in implementing the registrant’s cybersecurity policies, procedures, and strategies, including at a minimum discussion of:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
- Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons; The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
The Proposing Release explained that proposed Item 106(c)(1) would reinforce the Commission’s 2018 Interpretive Release, which said that disclosure on how a board engages management on cybersecurity helps investors assess the board’s exercise of its oversight responsibility. The Proposing Release noted that proposed Item 106(c)(2) would be of importance to investors in that it would help investors understand how registrants are planning for cybersecurity risks and inform their decisions on how best to allocate their capital.
A few commenters supported proposed Item 106(c) as providing investors with more uniform and informed understanding of registrants’ governance of cybersecurity risks. A number of commenters opposed proposed Item 106(c). They contended that the proposed Item 106(c) disclosures would be too granular to be decision-useful; instead, some of these commenters recommended that we limit the rule to a high-level explanation of management and the board’s role in cybersecurity risk oversight.
One commenter said proposed Item 106(c)(1) should be dropped because it duplicates existing 17 CFR 229.407(h) (Regulation S-K “Item 407(h)”), which requires reporting of material information regarding a board’s leadership structure and role in risk oversight, including how it administers its oversight function. Others saw similarities with Item 407(h) as well and suggested instead that proposed Item 106(c) be subsumed into Item 407, thus co-locating governance disclosures.
In response to a request for comment in the Proposing Release on whether the Commission should expressly provide for the use of hyperlinks or cross-references in Item 106, one commenter supported the use of hyperlinks and cross-references, but sought clarification of whether the practice is already permitted under Commission rules. Another commenter opposed, saying Item 407(h)’s more general discussion of board governance is distinct from Item 106(c)(1)’s specific focus on cybersecurity. The commenter cautioned that allowing registrants to employ hyperlinks and cross-references in Item 106 would lead to “less detail,”resulting in disclosure insufficient to investor needs.
One commenter recommended that we move proposed Item 106(c)(2) to the enumerated list of topics called for in proposed Item 106(b). Another commenter suggested expanding the rule to include disclosure of management and staff training on cybersecurity, asserting that the information is useful to investors because policies depend on staff for successful implementation. Two commenters suggested allowing the Item 106(c) disclosures to be made in the proxy statement.
c. Final Amendments
In response to comments, and aligned with our changes to Item 106(b), we have streamlined Item 106(c) to require disclosure that is less granular than proposed. Under Item 106(c)(1) as adopted, registrants must “[d]escribe the board’s oversight of risks from cybersecurity threats,” and, if applicable, “identify any board committee or subcommittee responsible” for such oversight “and describe the processes by which the board or such committee is informed about such risks.” We have removed proposed Item 106(c)(1)(iii), which had covered whether and how the board integrates cybersecurity into its business strategy, risk management, and financial oversight. While we have also removed the proposed Item 106(c)(1)(ii) requirement to disclose “the frequency of [the board or committee’s] discussions” on cybersecurity, we note that, depending on context, some registrants’ descriptions of the processes by which their board or relevant committee is informed about cybersecurity risks may include discussion of frequency.
Given these changes, we find that Item 407(h) and Item 106(c)(1) as adopted serve distinct purposes and should not be combined, as suggested by some commenters—the former requires description of the board’s leadership structure and administration of risk oversight generally, while the latter requires detail of the board’s oversight of specific cybersecurity risk. As noted by one commenter, to the extent these disclosures are duplicative, a registrant would be able to incorporate such information by reference.
We have also modified Item 106(c)(2) to add a materiality qualifier, to make clear that registrants must “[d]escribe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats” (emphasis added). The enumerated disclosure elements now constitute a “non-exclusive list” registrants should consider including. We have revised the first element to require the disclosure of management positions or committees “responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.” Because this requirement would typically encompass identification of whether a registrant has a chief information security officer, or someone in a comparable position, we are not adopting the proposed second element that would have specifically called for disclosure of whether the registrant has a designated chief information security officer. Given our purpose of streamlining the disclosure requirements, we also are not adopting the proposed requirement to disclose the frequency of management-board discussions on cybersecurity, though, as noted above, discussion of frequency may in some cases be included as part of describing the processes by which the board or relevant committee is informed about cybersecurity risks in compliance with Item 106(c)(1), to the extent it is relevant to an understanding of the board’s oversight of risks from cybersecurity threats.
Thus, as adopted, Item 106(c)(2) directs registrants to consider disclosing the following as part of a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board
of directors or a committee or subcommittee of the board of directors.
As many commenters recommended, these elements are limited to disclosure that we believe balances investors’ needs to understand a registrant’s governance of risks from cybersecurity threats in sufficient detail to inform an investment or voting decision with concerns that the proposal could inadvertently pressure registrants to adopt specific or inflexible cybersecurity-risk governance practices or organizational structures. We do not believe these disclosures should be subsumed into Item 106(b), as one commenter recommended, because identifying the management committees and positions responsible for risks from cybersecurity threats is distinct from describing the cybersecurity practices management has deployed. We also decline the commenter suggestion to require disclosure of management and staff training on cybersecurity; registrants may choose to make such disclosure voluntarily. Finally, we decline the commenter suggestion to allow Item 106(c) disclosure to be provided in the proxy statement; governance information in the proxy statement is generally meant to inform shareholders’ voting decisions, whereas Item 106(c) disclosure informs investors’ assessment of investment risk.
a. Proposed Definitions
The Commission proposed to define three terms to delineate the scope of the amendments: “cybersecurity incident,” “cybersecurity threat,” and “information systems.” Proposed 229 CFR 229.106(a) (Regulation S-K “Item 106(a)”) would define them as follows:
- Cybersecurity incident means an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity threat means any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity or availability of a
registrant’s information systems or any information residing therein.
- Information systems means information resources, owned, or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
As noted above, the Commission explained that what constitutes a “cybersecurity incident” should be construed broadly, encompassing a range of event types.
Most commenters that offered feedback on the proposed definitions suggested narrowing them in some fashion. On “cybersecurity incident,” many commenters urged limiting the definition to cases of actual harm, thereby excluding incidents that had only the potential to cause harm. They suggested accomplishing this by replacing “jeopardizes” with phrases such as “adversely affects” or “results in substantial loss of.” One of these commenters noted that such a change would more closely align the definition with that in CIRCIA. Other commenters objected to the definition’s use of “any information” as overbroad, saying it would lead to inconsistent application. One commenter sought clarification of whether the definition encompasses accidental incidents, such as chance technology outages, that do not involve a malicious actor, while another commenter advocated broadening the definition to any incident materially disrupting operations, regardless of what precipitated it.
On “cybersecurity threat,” commenters urged narrowing the rule by replacing the language “may result in” with “could reasonably be expected to result in” or some other probability threshold. One stated that “the use of a ‘may’ standard establishes an unhelpfully low standard that would require registrants to establish policies and procedures to identify threats that are potentially overbroad and not appropriately tailored to those threats that are reasonably foreseeable.” In a similar vein, two commenters objected to the language “any potential occurrence” as over-inclusive and lacking “instructive boundaries.”
On “information systems,” many commenters favored replacing “owned or used by” with “owned or operated by,” “owned or controlled by,” or like terms, so that registrants’ reporting obligations stop short of incidents on third-party information systems. A few commenters said the definition could be construed to cover hard-copy information and should be revised to foreclose such a reading.
More broadly, many commenters advised the Commission to align these definitions with comparable definitions in other Federal laws and regulations, such as CIRCIA and NIST. One commenter explained that “aligning definitions with those in existing federal laws and regulations would help ensure that the defined terms are consistently understood, interpreted and applied in the relevant disclosure.” However, another commenter cautioned against aligning with definitions, such as those of NIST, that were developed with a view toward internal risk management and response rather than external reporting; the commenter identified CIRCIA and the Federal banking regulators’ definitions as more apposite. One commenter noted that additional proposed defined terms were included in the Commission’s rulemaking release Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies that were not included in the Proposing Release and recommended that we “consider whether the defined terms should be consistent.”
In the Proposing Release, the Commission asked whether to define other terms used in the proposed amendments, and specifically sought comment on whether a definition of “cybersecurity” would be useful. Several commenters supported defining “cybersecurity,” reasoning, for example, that any rulemaking on cybersecurity should define that baseline term; that, left undefined, the term would be open to varying interpretations; and that details such as whether hardware is covered should be resolved. Separately, two commenters recommended the Commission define “operational technology,” with one explaining that the “proposed definitions understandably focus on data breaches, which are a major cybersecurity threat, but we believe an operational technology breach could have even more detrimental effects in certain cases (such as for ransomware attacks that have impacted critical infrastructure) and warrants disclosure guidance from the Commission.”
Several commenters also sought either a formal definition or more guidance on the term “material” specific to the cybersecurity space. Some read the proposal, particularly the incident examples provided in the Proposing Release, as lowering the bar for materiality and being overly subjective, which they indicated may result in over-reporting of cybersecurity incidents or introduce uncertainty, and they urged the Commission to affirm the standard materiality definition. Another commenter sought cybersecurity-specific guidance on materiality, including “concrete thresholds to assist registrants in determining materiality.” A few commenters recommended conditioning the materiality determination on the underlying information being verified to “a high degree of confidence” and “unlikely to materially change,” while one commenter looked to replace materiality altogether with a significance standard like that in CIRCIA.
c. Final Definitions
We are adopting definitions for “cybersecurity incident,” “cybersecurity threat,” and “information systems” largely as proposed, with three modifications.
First, on “cybersecurity incident,” we are adding the phrase “or a series of related unauthorized occurrences” to the “cybersecurity incident” definition. This reflects our guidance in Section II.B.3 above that a series of related occurrences may collectively have a material impact or reasonably likely material impact and therefore trigger Form 8-K Item 1.05, even if each individual occurrence on its own would not rise to the level of materiality. Second, we are making a clarifying edit to “information systems.” Some commenters said the definition could be construed to cover hard-copy resources. We recognize that reading is possible, if unlikely and unintended, and we are therefore inserting “electronic” before “information resources,” to ensure the rules pertain only to electronic resources. Third, we are making minor revisions to the “cybersecurity threat” definition for clarity and to better align it with the “cybersecurity incident” definition.
Accordingly, the definitions are as follows:
- Cybersecurity incident means an unauthorized occurrence, or a series of related
unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s
information systems or any information residing therein.
- Cybersecurity threat means any potential unauthorized occurrence on or conducted
through a registrant’s information systems that may result in adverse effects on the
confidentiality, integrity or availability of a registrant’s information systems or any
information residing therein.
- Information systems means electronic information resources, owned or used by the
registrant, including physical or virtual infrastructure controlled by such information
resources, or components thereof, organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of the registrant’s
information to maintain or support the registrant’s operations.
- Cybersecurity incident means an unauthorized occurrence, or a series of related
We recognize commenters’ concern regarding the term “jeopardizes” in the proposed “cybersecurity incident” definition and the resulting scope of the definition. Nonetheless, we note that the definition is not self-executing; rather it is operationalized by Item 1.05, which is conditioned on the incident having been material to the registrant. Typically that would entail actual harm, though the harm may sometimes be delayed, and a material cybersecurity incident may not result in actual harm in all instances. For example, a company whose intellectual property is stolen may not suffer harm immediately, but it may foresee that harm will likely occur over time as that information is sold to other parties, such that it can determine materiality before the harm occurs. The reputational harm from a breach may similarly increase over time in a foreseeable manner. There may also be cases, even if uncommon, where the jeopardy caused by a cybersecurity incident materially affects the company, even if the incident has not yet caused actual harm. In such circumstances, we believe investors should be apprised of the material effects of the incident. We are therefore retaining the word “jeopardizes” in the definition.
We are not persuaded that the proposed “cybersecurity incident” definition’s use of “any information” would lead to inconsistent application of the definition among issuers or cause a risk of over-reporting, as suggested by some commenters. As noted above, the “cybersecurity incident” definition is operationalized by Item 1.05. Item 1.05 does not require disclosure whenever “any information” is affected by an intruder. Disclosure is triggered only when the resulting effect of an incident on the registrant is material.
We are also retaining “unauthorized” in the incident definition as proposed. In general, we believe that an accidental occurrence is an unauthorized occurrence. Therefore, we note that an accidental occurrence may be a cybersecurity incident under our definition, even if there is no confirmed malicious activity. For example, if a company’s customer data are accidentally exposed, allowing unauthorized access to such data, the data breach would constitute a “cybersecurity incident” that would necessitate a materiality analysis to determine whether disclosure under Item 1.05 of Form 8-K is required.
On “cybersecurity threat,” we appreciate commenters’ concerns with the proposed definition’s use of “may result in” and “any potential occurrence.” Unlike with “cybersecurity incident,” where the interplay of the proposed definition with proposed Item 1.05 ensured only material incidents would become reportable, proposed Item 106(b)’s reference to “the identification and management of risks from cybersecurity threats” was not qualified by materiality. We are therefore adding a materiality condition to Item 106(b). As adopted, Item 106(b) will require disclosure of registrants’ processes to address the material risks of potential occurrences that could reasonably result in an unauthorized effort to adversely affect the confidentiality, integrity, or availability of a registrant’s information systems. Given the addition of a materiality condition to Item 106(b), we do not believe that further revision to the “cybersecurity threat” definition is warranted.
On “information systems,” we decline to change “owned or used by” to “owned or operated by,” “owned or controlled by,” or similar terms advanced by commenters. Commenters recognized that “used by” covers information resources owned by third parties. That is by design: covering third party systems is essential to the working of Item 106 of Regulation S-K and Item 1.05 of Form 8-K. As we explain above, in Section II.A.3, the materiality of a cybersecurity incident is contingent neither on where the relevant electronic systems reside nor on who owns them, but rather on the impact to the registrant. We do not believe that a reasonable investor would view a significant data breach as immaterial merely because the data are housed on a cloud service. If we were to remove “used by,” a registrant could evade the disclosure requirements of the final rules by contracting out all of its information technology needs to third parties. Accordingly, the definition of “information systems” contemplates those resources owned by third parties and used by the registrant, as proposed.
In considering commenters’ suggestion to align our definitions with CIRCIA, NIST, and other Federal regulations, we observe that there is no one standard definition for these terms, and that regulators have adopted definitions based on the specific contexts applicable to their regulations. Nonetheless, we also observe that the final “cybersecurity incident” definition is already similar to the CIRCIA and NIST incident definitions, in that all three focus on the confidentiality, integrity, and availability of information systems. Our definition of “information systems” also tracks CIRCIA and NIST, as all three cover “information resources” that are “organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition” of information. Of course, the definitions do not match precisely, but some variation is inevitable where various Federal laws and regulations have different purposes, contexts, and goals. We therefore find that further alignment is not needed.
We decline to define any other terms. We acknowledge commenters who asked for additional guidance regarding the application of a materiality determination to cybersecurity or sought to replace materiality with a significance standard. As noted in the Proposing Release, however, we expect that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces. Carving out a cybersecurity-specific materiality definition would mark a significant departure from current practice, and would not be consistent with the intent of the final rules. Accordingly, we reiterate, consistent with the standard set out in the cases addressing materiality in the securities laws, that information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” Because materiality’s focus on the total mix of information is from the perspective of a reasonable investor, companies assessing the materiality of cybersecurity incidents, risks, and related issues should do so through the lens of the reasonable investor. Their evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors. Thus, for example, when a registrant experiences a data breach, it should consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis. We also note that, given the fact-specific nature of the materiality determination, the same incident that affects multiple registrants may not become reportable at the same time, and it may be reportable for some registrants but not others.
We also decline to separately define “cybersecurity,” as suggested by some commenters. We do not believe such further definition is necessary, given the broad understanding of this term. To that end, we note that the cybersecurity industry itself appears not to have settled on an exact definition, and because the field is quickly evolving and is expected to continue to evolve over time, any definition codified in regulation could soon become stale as technology develops. Likewise, the final rules provide flexibility by not defining “cybersecurity,” allowing a registrant to determine meaning based on how it considers and views such matters in practice, and on how the field itself evolves over time.
We decline to define “operational technology” as suggested by some commenters because the term does not appear in the rules we are adopting.
D. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise
- Proposed Amendments
Congruent with proposed Item 106(c)(2) on the board’s oversight of cybersecurity risk, the Commission proposed adding 17 CFR 229.407(j) (Regulation S-K “Item 407(j)”) to require disclosure about the cybersecurity expertise, if any, of a registrant’s board members. The proposed rule did not define what constitutes expertise, given the wide-ranging nature of cybersecurity skills, but included a non-exclusive list of criteria to consider, such as prior work experience, certifications, and the like. As proposed, paragraph (j) would build on existing 17 CFR 229.401(e) (Regulation S-K “Item 401(e)”) (business experience of directors) and Item 407(h) (board risk oversight), and would be required in the annual report on Form 10-K and in the proxy or information statement when action is to be taken on the election of directors. Thus, the Proposing Release said, proposed Item 407(j) would help investors in making both investment and voting decisions.
The Commission also proposed to include a safe harbor in 17 CFR 229.407(j)(2) (Regulation S-K “Item 407(j)(2)”) providing that any directors identified as cybersecurity experts would not be deemed experts for liability purposes, including under Section 11 of the Securities Act. This was intended to clarify that identified directors do not assume any duties, obligations, or liabilities greater than those assumed by non-expert directors. Nor would such identification decrease the duties, obligations, and liabilities of non-expert directors relative to identified directors.
Proposed Item 407(j) garnered significant comment. Supporters wrote that understanding a board’s level of cybersecurity expertise is important to assessing a company’s ability to manage cybersecurity risk. For example, one commenter said “board cybersecurity expertise serves as a useful starting point for investors to assess a company’s approach to
cybersecurity;” while another commenter said investors need the Item 407(j) disclosure “to cast informed votes on directors.” One comment letter submitted an academic study by the authors of the letter and noted that its findings “underscore the importance of understanding the role of boards in cybersecurity oversight.”
By contrast, many commenters argued cybersecurity risk is not intrinsically different from other risks that directors assess with or without specific technical expertise. For example, one reasoned that, given the “ever-changing range of risks confronting a company,” directors require “broad-based skills in risk and management oversight, rather than subject matter expertise in one particular type of risk.” Commenters also predicted the disclosure requirement would pressure companies to retain cybersecurity experts on their board, and submitted there is not enough cybersecurity talent in the marketplace at this time for all or most companies to do so. One of these commenters further contended that finding such expertise will be harder for smaller reporting companies. Another commenter warned that, given the current cybersecurity talent pool, the end result may be lower diversity on boards; and one said hiring cybersecurity experts to the board may come at the expense of spending on a company’s cybersecurity defenses. Commenters also expressed concern that the identified expert directors would face elevated risks, such as being targeted by nation states for surveillance or hackers attempting to embarrass them, thus creating a disincentive to board service.
More generally, sentiment among those opposed to Item 407(j) was that the rule is overly prescriptive and in effect would direct how companies operate their cybersecurity programs. As an alternative, some commenters pushed for other ways to show competency, such as identifying outside experts the board relies on for cybersecurity expertise, disclosing how frequently the board meets with the chief information security officer, listing relevant director training, and relying on adjacent technology skills.
Whether they supported or opposed the proposed disclosure requirement, commenters largely endorsed the proposed Item 407(j)(2) safe harbor; its absence, they said, could make candidates with cybersecurity expertise reluctant to serve on boards. Two commenters requested the Commission define “cybersecurity expertise;” one of them said being “duly accredited and certified as a cybersecurity professional” should be a prerequisite, and posited specific industry certifications to establish expertise. Another commenter suggested adding participation in continuing education to the 17 CFR 229.407(j)(1)(i) factors considered in assessing expertise.
After considering the comments, we are not adopting proposed Item 407(j). We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters. While we acknowledge that some commenters indicated that the proposed Item 407(j) information would be helpful to investors, we nonetheless agree that it may not be material information for all registrants. We believe investors can form sound investment decisions based on the information required by Items 106(b) and (c) without the need for specific information regarding board-level expertise. And to that end, a registrant that has determined that board-level expertise is a necessary component to the registrant’s cyber-risk management would likely provide that disclosure pursuant to Items 106(b) and (c).
E. Disclosure by Foreign Private Issuers
The Commission proposed to establish disclosure requirements for FPIs parallel to those proposed for domestic issuers in Regulation S-K Items 106 and 407(j) and Form 8-K Item 1.05. Specifically, the Commission proposed to amend Form 20-F to incorporate the requirements of proposed Item 106 and 407(j) to disclose information regarding an FPI’s cybersecurity risk management, strategy, and governance. With respect to incident disclosure, the Commission proposed to: (1) amend General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on Form 6-K, and (2) amend Form 20-F to require updated disclosure regarding incidents previously disclosed on Form 6-K.
A few commenters agreed that the Commission should not exempt FPIs from the proposed disclosure requirements, given they face the same threats as domestic issuers. Another commenter said the Commission should not delay compliance for FPIs, for similar reasons. On the other hand, one commenter said the proposal would disproportionately burden FPIs because, under its reading of the proposed amendment to General Instruction B, Form 6-K would require disclosure of all cybersecurity incidents, not just those that are material. The commenter went on to say that the interplay of the European Union’s Market Abuse Regulation (“MAR”) would render the proposed Form 6-K amendment particularly taxing, because MAR requires immediate announcement of non-public price sensitive information.
On MJDS filers, commenters endorsed the Commission’s determination not to propose to amend Form 40-F, maintaining that Canadian issuers eligible to use MJDS should be permitted to follow their domestic disclosure standards, consistent with other disclosure requirements for those registrants.
We are adopting the Form 20-F and Form 6-K amendments as proposed, with modifications that are consistent with those being applied to Item 106 of Regulation S-K and Item 1.05 of Form 8-K. We continue to believe that FPIs’ cybersecurity incidents and risks are not any less important to investors’ capital allocation than those of domestic registrants. We also do not find that the Form 6-K amendments unduly burden FPIs. Importantly, the language the Commission proposed to add to General Instruction B (“cybersecurity incident”) of Form 6-K would be modified by the existing language “that which is material with respect to the issuer and its subsidiaries concerning.” Nonetheless, for added clarity, we are including the word “material” before “cybersecurity incident.” Thus, for a cybersecurity incident to trigger a disclosure obligation on Form 6-K, the registrant must determine that the incident is material, in addition to meeting the other criteria for required submission of the Form. Even registrants subject to the European Union’s MAR will first have developed the relevant information for foreign disclosure or publication under MAR, so any added burden for preparing and furnishing the Form 6-K should be minor. As the Commission stated in the Proposing Release, we do not find reason to adopt prescriptive cybersecurity disclosure requirements for Form 40-F filers, given that the MJDS generally permits eligible Canadian FPIs to use Canadian disclosure standards and documents to satisfy the Commission’s registration and disclosure requirements. We note that such filers are already subject to the Canadian Securities Administrators’ 2017 guidance on the disclosure of cybersecurity risks and incidents.
F. Structured Data Requirements
The Commission proposed to mandate that registrants tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. The Proposing Release explained that the structured data requirements would make the disclosures more accessible to investors and other market participants and facilitate more efficient analysis. The proposed requirements would not be unduly burdensome to registrants, the release posited, because they are similar to the Inline XBRL requirements for other disclosures.
Commenters largely supported the proposal to require Inline XBRL tagging of the new disclosures, as structured data would enable automated extraction and analysis. Opposition to the requirement centered on filer burden, including an argument that, given the time-sensitive nature of the Item 1.05 Form 8-K disclosure, mandating structured data tagging would unduly add to companies’ burden in completing timely reporting.
After considering comments, we are adopting the structured data requirements as proposed, with a staggered compliance date of one year. We are not persuaded that Inline XBRL tagging will unduly add to companies’ burden in preparing and filing Item 1.05 Form 8-K in a timely fashion, and we believe such incremental costs are appropriate given the significant benefits to investors. Compared to the Inline XBRL tagging companies will already be performing for their financial statements, the tagging requirements here are less extensive and complex. Inline XBRL tagging will enable automated extraction and analysis of the information required by the final rules, allowing investors and other market participants to more efficiently identify responsive disclosure, as well as perform large-scale analysis and comparison of this information across registrants. The Inline XBRL requirement will also enable automatic comparison of tagged disclosures against prior periods. If we were not to adopt the Inline XBRL requirement as suggested by some commenters, some of the benefit of the new rules would be diminished. However, we are delaying compliance with the structured data requirements for one year beyond initial compliance with the disclosure requirements. This approach should both help lessen any compliance burden and improve data.
G. Applicability to Certain Issuers
The Commission proposed to amend Form 10-K to clarify that an asset-backed issuer, as defined in 17 CFR 229.1101 (Regulation AB “Item 1101”), that does not have any executive officers or directors may omit the information required by proposed Item 106(c). The Commission noted that asset-backed issuers would likewise be exempt from proposed Item 407(j) pursuant to existing Instruction J to Form 10-K. The Commission further requested comment on whether to generally exempt asset-backed issuers from the proposed rules.
One commenter stated that the proposed rules should not apply to issuers of asset-backed securities, given that they are limited purpose or passive special purpose vehicles with limited activities, no operations or businesses, and no information systems. The commenter also opposed applying the proposed rules to other transaction parties (such as the sponsor, servicer, originator, and trustee), because such parties are neither issuers of nor obligors on an assetbacked security, and “it is extraordinarily unlikely that a transaction party’s financial performance or position would be impacted by a cybersecurity incident to such an extent as to impede its ability to perform its duties and responsibilities to the securitization transaction.” The commenter acknowledged that cybersecurity disclosure rules may make sense for servicers of asset-backed securities, but counseled that any new rules should be tailored to such entities, rather than applying the proposed rules.
We are exempting asset-backed securities issuers from the final rules. We agree with the commenter that the final rules would not result in meaningful disclosure by asset-backed issuers. In particular, we are persuaded by the fact that asset-backed issuers are typically special purpose vehicles whose activities are limited to receiving or purchasing, and transferring or selling, assets to an issuing entity and, accordingly, do not own or use information systems, whereas the final rules are premised on an issuer’s ownership or use of information systems. To the extent that a servicer or other party to an asset-backed security transaction is a public company, it will be required to comply with the final rules with respect to information systems it owns or uses. Therefore, an investor in an asset-backed security who wants to assess the cybersecurity of transaction parties will be able to do so for those that are public companies. The Commission may consider cybersecurity disclosure rules specific to asset-backed securities at a later date.
Smaller Reporting Companies
In the Proposing Release, the Commission did not include an exemption or alternative compliance dates or transition accommodations for smaller reporting companies, but it did request comment on whether to do so. The Commission noted that smaller companies may face equal or greater cybersecurity risk than larger companies, such that cybersecurity disclosures may be particularly important for their investors.
A few commenters advocated an exemption for smaller reporting companies, asserting that they face outsized costs from the proposal and lower cybersecurity risk. And some commenters called for a longer compliance phase-in period for smaller reporting companies, to help them mitigate their cost burdens and benefit from the compliance and disclosure experience of larger companies. Other commenters opposed an exemption for smaller reporting companies, in part because they may face equal or greater cybersecurity risk than larger companies, or because investors’ relative share in a smaller company may be higher, such that small companies’ cybersecurity risk “may actually embody the most pressing cybersecurity risk to an investor.”
Consistent with the proposal, we decline to exempt smaller reporting companies. We believe the streamlined requirements of the final rules will help reduce some of the costs associated with the proposal for all registrants, including smaller reporting companies. Also, we do not believe that an additional compliance period is needed for smaller reporting companies with respect to Item 106, as this information is factual in nature regarding a registrant’s existing cybersecurity strategy, risk management, and governance, and so should be readily available to those companies to assess for purposes of preparing disclosure. Finally, given the significant cybersecurity risks smaller reporting companies face and the outsized impacts that cybersecurity incidents may have on their businesses, their investors need access to timely disclosure on material cybersecurity incidents and the material aspects of their cybersecurity risk management and governance. However, we agree with commenters that stated smaller reporting companies would likely benefit from additional time to comply with the incident disclosure requirements.
Accordingly, as discussed below, we are providing smaller reporting companies an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8-K.
H. Need for New Rules and Commission Authority
Some commenters argued that the 2011 Staff Guidance and 2018 Interpretive Release are sufficient to compel adequate cybersecurity disclosure, obviating the need for new rules. In
this regard, two commenters highlighted the Proposing Release’s statement that cybersecurity disclosures “have improved since the issuance of the 2011 Staff Guidance and the 2018 Interpretive Release.” Another commenter said that Commission staff’s findings that certain cybersecurity incidents were reported in the media but not disclosed in a registrant’s filings and that registrants’ disclosures provide different levels of specificity suggested that “existing guidance is working, because each registrant should always be conducting an individualized, case-by-case analysis” and therefore disclosures “should expectedly vary significantly.” One commenter questioned whether the materials cited in the Proposing Release support the Commission’s conclusion there that current cybersecurity reporting may be inconsistent, not timely, difficult to locate, and contain insufficient detail. Two commenters recommended that the Commission “reemphasize” the prior guidance and “utilize its enforcement powers to ensure public companies continue to report material cyber incidents.” One commenter provided the results from a survey it conducted of its members, finding that “only 10-20% of the 192 respondents reported that their shareholders have requested information or asked a question on” various cybersecurity topics, while “64.3% of the respondents indicated that their investors had not engaged with them” on those topics. Another commenter pointed to a 2022 study finding that less than 1% of cybersecurity breaches are “material,” and asserted that current disclosures adequately reflect such a level of material breaches. Some commenters also stated that the Commission should forgo regulation of cybersecurity disclosure because other agencies’ regulations are sufficient.
Other commenters, by contrast, stated that the 2011 Staff Guidance and the 2018 Interpretive Release, while helpful, have not been sufficient to provide investors with the material information they need. One such commenter explained that “[t]he Commission’s past guidance, while in line with our views, does not go far enough. The Proposed Rule is needed to provide clarity regarding what, when, and how to disclose material cybersecurity incident information . . . The improved standardization of disclosures included in the Proposed Rule adds clarity to the reporting process.” Another commenter stated that “the lack of timely comprehensive disclosure of material cyber events exposes investors and the community at large to potential harm.”
As the Commission explained in the Proposing Release, Commission staff has observed insufficient and inconsistent cybersecurity disclosure notwithstanding the prior guidance.
Here, in response to commenters, we emphasize that the final rules supplement the prior guidance but do not replace it. The final rules are aimed at remedying the lack of material cybersecurity incident disclosure, and the scattered, varying nature of cybersecurity strategy, risk management, and governance disclosure, the need for which some commenters confirmed. The final rules therefore add an affirmative cybersecurity incident disclosure obligation, and they centralize cybersecurity risk management, strategy, and governance disclosure. While we acknowledge commenters who noted the improvements to certain cybersecurity-related disclosures in response to the 2018 Interpretive Release, and we agree there have been improvements in the areas that the guidance touched upon, we note that the guidance does not mandate consistent or comparable public disclosure of material incidents or otherwise address the topics that are the subject of the final rules. And in response to commenters who suggested that other agencies’ rules on cybersecurity reporting are sufficient, we note that, unlike the final rules, such rules are not tailored to the informational needs of investors; instead, they focus on the needs of regulators, customers, and individuals whose data have been breached. Accordingly, we believe the final rules are necessary and appropriate in the public interest and for the protection of investors, consistent with the Commission’s authority.
We also note that the 2018 Interpretive Release remains in place, as it treats a number of topics not covered by the new rules. Those topics include, for instance, incorporating cybersecurity-related information into risk factor disclosure under Regulation S-K Item 105, into management’s discussion and analysis under Regulation S-K Item 303, into the description of business disclosure under Regulation S-K Item 101, and, if there is a relevant legal proceeding, into the Regulation S-K Item 103 disclosure.355 The 2018 Interpretive Release also notes the Commission’s expectation that, consistent with Regulation S-X, a company’s financial reporting and control systems should be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as that information becomes available.
With respect to the Commission’s authority to adopt the final rules, some commenters asserted that the Commission does not have the authority to regulate cybersecurity disclosure. These commenters argued that the Proposing Release did not adequately explain which statutory provisions the Commission was relying on to propose the disclosure requirements, that the statutory provisions the Commission did identify do not provide a legal basis to require the proposed disclosures, that the release did not show the requirements were necessary or appropriate to achieve statutory goals, and that the requirements implicate the major questions doctrine and non-delegation principles. Additionally, one commenter stated that “Congress intended that [CIRCIA] be the primary means for reporting of cyber incidents to the federal government.”
We disagree. Disclosure to investors is a central pillar of the Federal securities laws. The Securities Act of 1933 “was designed to provide investors with full disclosure of material information concerning public offerings of securities.” In addition, the Securities Exchange Act of 1934 imposes “regular reporting requirements on companies whose stock is listed on national securities exchanges.” Together, the provisions of the Federal securities laws
mandating release of information to the market—and authorizing the Commission to require additional disclosures—have prompted the Supreme Court to “repeatedly” describe “the fundamental purpose” of the securities laws as substituting “a philosophy of full disclosure for the philosophy of caveat emptor.” This bedrock principle of “[d]isclosure, and not paternalistic withholding of accurate information, is the policy chosen and expressed by Congress.” Moreover, “underlying the adoption of extensive disclosure requirements was a legislative philosophy: ‘There cannot be honest markets without honest publicity. Manipulation and dishonest practices of the market place thrive upon mystery and secrecy.”
Several provisions of the Federal securities laws empower the Commission to carry out these fundamental Congressional objectives. Under the Securities Act, the Commission has authority to require, in a publicly filed registration statement, that issuers offering and selling securities in the U.S. public capital markets include information specified in Schedule A of the Act, including the general character of the issuer’s business, the remuneration paid to its officers and directors, details of its material contracts and certain financial information, as well as “such other information . . . as the Commission may by rules or regulations require as being necessary or appropriate in the public interest or for the protection of investors.” In addition, under the Exchange Act, issuers of securities traded on a national securities exchange or that otherwise have total assets and shareholders of record that exceed certain thresholds must register those securities with the Commission by filing a registration statement containing “[s]uch information, in such detail, as to the issuer” in respect of, among other things, “the organization, financial structure and nature of the [issuer’s] business” as the Commission by rule or regulation determines to be in the public interest or for the protection of investors. These same issuers
must also provide “such information and documents . . . as the Commission shall require to keep reasonably current the information and documents required to be included in or filed with a registration statement” as the Commission may prescribe as necessary or appropriate for the proper protection of investors and to insure fair dealing in the security. Separately, these issuers also must disclose “on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer . . . as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.”
These grants of authority are intentionally broad. Congress designed them to give the Commission, which regulates dynamic aspects of a market economy, the power and “flexibility” to address problems of inadequate disclosure as they arose. As the United States Court of Appeals for the District of Columbia Circuit explained, “[r]ather than casting disclosure rules in stone, Congress opted to rely on the discretion and expertise of the SEC for a determination of what types of additional disclosure would be desirable.”
The Commission has long relied on the broad authority in these and other statutory provisions to prescribe rules to ensure that the public company disclosure regime provides investors with the information they need to make informed investment and voting decisions, in each case as necessary or appropriate in the public interest or for the protection of investors. Indeed, the Commission’s predecessor agency, immediately upon enactment of the Securities Act, relied upon such authority to adopt Form A-1, precursor to today’s Form S-1 registration statement, to require disclosure of information including, for example, a list of states where the issuer owned property and was qualified to do business and the length of time the registrant had been engaged in its business—topics that are not specifically enumerated in Schedule A of the Securities Act. Form A-1 also required disclosures related to legal proceedings, though there is no direct corollary in Schedule A.
Consistent with the statutory scheme that Congress enacted, the Commission has continued to amend its disclosure requirements over time in order to respond to marketplace developments and investor needs. Accordingly, over the last 90 years, the Commission has eliminated certain disclosure items and adopted others pursuant to the authority in Sections 7 and 19(a) of the Securities Act and Sections 3(b), 12, 13, 15, and 23(a) of the Exchange Act. Those amendments include the adoption of an integrated disclosure system in 1982, which reconciled the various disclosure items under the Securities Act and the Exchange Act and was intended to ensure that “investors and the marketplace have been provided with meaningful, nonduplicative information upon which to base investment decisions.”
In keeping with Congressional intent, the Commission’s use of its authority has frequently focused on requiring disclosures that will give investors enhanced information about risks facing registrants. For example, in 1980, the Commission adopted Item 303 of Regulation S-K to require registrants to include in registration statements and annual reports a management’s discussion and analysis of financial condition (“MD&A”). This discussion is intended to allow investors to understand the registrant’s “financial condition, changes in its financial condition and results of operation” through the eyes of management. Item 303 includes a number of specific disclosure items, such as requiring the identification of any known trends or uncertainties that will result in, or that are reasonably likely to result in, a material change to the registrant’s liquidity, a material change in the mix and relative cost of the registrant’s capital resources, or a material impact on net sales, revenues, or income from continuing operations. Item 303 also requires registrants to “provide such other information that the registrant believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operation.” The Commission developed the MD&A disclosure requirements to supplement and provide context to the financial statement disclosures previously required by the Commission.
A few years later, in 1982, the Commission codified a requirement that dated back to the 1940s for registrants to include a “discussion of the material factors that make an investment in the registrant or offering speculative or risky,” commonly referred to as “risk factors.” By definition, these disclosures encompass a discussion of risks, or prospective future events or losses, that might affect a registrant or investment. The initial risk factor disclosure item provided examples of possible risk factors, such as the absence of an operating history of the registrant, an absence of profitable operations in recent periods, the nature of the business in which the registrant is engaged or proposes to engage, or the absence of a previous market for the registrant’s common equity.
In subsequent years, the Commission expanded both the scope of risks about which registrants must provide disclosures and the granularity of those disclosures. For example, in 1997, the Commission first required registrants to disclose quantitative information about market risk. That market risk disclosure included requirements to present “separate quantitative information . . . to the extent material” for different categories of market risk, such as “interest rate risk, foreign currency exchange rate risk, commodity price risk, and other relevant market risks, such as equity price risk.” Under these market risk requirements, registrants must also disclose various metrics such as “value at risk” and “sensitivity analysis disclosures.” In addition, registrants must provide certain qualitative disclosures about market risk, to the extent material.
Each of these disclosure items reflects the Commission’s long-standing view that understanding the material risks faced by a registrant and how the registrant manages those risks can be just as important to assessing its business operations and financial condition as knowledge about its physical assets or material contracts. Indeed, investors may be unable to assess the value of those assets or contracts adequately without appreciating the material risks to which they are subject.
In addition to risk-focused disclosures, over the decades, the Commission has also required registrants to provide information on a diverse range of topics that emerged as significant to investment or voting decisions, such as the extent of the board’s role in the risk oversight of the registrant, the effectiveness of a registrant’s disclosure controls and procedures, related-party transactions, corporate governance, and compensation discussion and analysis, among many other topics, including on topics related to particular industries, offering structures, and types of transactions. In all these instances, the Commission’s exercise of its authority was guided by the baseline of the specific disclosures articulated by Congress. But, as Congress expressly authorized, the Commission’s exercise of its disclosure authority has not been narrowly limited to those statutorily prescribed disclosures—instead, it has been informed by both those disclosures and the need to protect investors. Many of these disclosures have since become essential elements of the public company reporting regime that Congress established.
To ensure the transparency that Congress intended when it authorized the Commission to promulgate disclosure regulations in the public interest or to protect investors, the Commission’s regulations must—as they have over time—be updated to account for changing market conditions, new technologies, new transaction structures, and emergent risks. In this regard, we disagree with one commenter’s assertion that the Commission’s disclosure authority is “limited to specific types of information closely related to the disclosing company’s value and financial condition.” The commenter misstates the scope and nature of the Commission’s authority. There is a wealth of information about a company apart from that which appears in the financial statements that is related to a company’s value and financial condition, including the material risks (cybersecurity and otherwise) a company faces. Nor did Congress dictate that the Commission limit disclosures only to information that is “closely related” to a company’s “value and financial condition.” By also empowering the Commission to require “such other information . . . as the Commission may by rules or regulations require as being necessary or appropriate in the public interest or for the protection of investors,” Congress recognized that there is information that is vital for investors to understand in making informed investment decisions but does not directly relate to a company’s value and financial condition.
The narrow reading of the Commission’s authority advocated by the commenter would foreclose many of these longstanding elements of disclosure that market participants have come to rely upon for investor protection and fair dealing of securities. Moreover, Congress itself has amended, or required the Commission to amend, the Federal securities laws many times. But Congress has not restricted the Commission’s disclosure authority; rather, Congress has typically sought to further expand and supplement that authority with additional mandated disclosures.
We also reject the commenter’s suggestion that the final rules are an attempt to “usurp the undelegated role of maintaining cyber safety in America.” The final rules are indifferent as to whether and to what degree a registrant may have identified and chosen to manage a cybersecurity risk. Rather, the final rules reflect the reality, as acknowledged by the same commenter, that “cybersecurity is . . . an area of growing importance to companies across the world.” When those companies seek to raise capital from investors in U.S. public markets, we believe it is appropriate that they share information about whether and, if so, how they are managing material cybersecurity risks so that investors can make informed investment and voting decisions consistent with their risk tolerance and investment objectives.
Finally, with respect to the commenter’s contention that a broad reading of the Commission’s disclosure authority could raise separation of powers concerns, we note that a statutory delegation is constitutional as long as Congress lays down by legislative act an intelligible principle to which the person or body authorized to exercise the delegated authority is directed to conform. In this instance, Congress has required that any new disclosure requirements be “necessary or appropriate in the public interest or for the protection of investors,” which has guided the Commission’s rulemaking authority for nearly a century. We therefore believe that the final rules are fully consistent with constitutional principles regarding separation of powers.
I. Compliance Dates
The final rules are effective [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. With respect to Item 106 of Regulation S-K, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all registrants other than smaller reporting companies must begin complying on [INSERT DATE 90 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER OR DECEMBER 18, 2023, WHICHEVER IS ATER]. As discussed above, smaller reporting companies are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin
complying with Item 1.05 of Form 8-K, on [INSERT DATE 270 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER OR JUNE 15, 2024, WHICHEVER IS LATER].
With respect to compliance with the structured data requirements, as noted above, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
- For Item 106 of Regulation S-K, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024; and
- For Item 1.05 of Form 8-K and Form 6-K all registrants must begin tagging responsive disclosure in Inline XBRL beginning on [INSERT DATE 465 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER OR DECEMBER 18, 2024, WHICHEVER IS LATER].