Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Thank you, Chair Gensler. Although better than the proposal, this final cybersecurity disclosure rule continues to ignore both the limits to the SEC’s disclosure authority and the best interests of investors. Moreover, the Commission has failed to explain why we need this rule. Accordingly, I dissent.
Cyber risk and the attendant disclosure obligations have been front-and-center for public companies for a long time, and the SEC has underscored the importance of cyber disclosures. In 2011, “the Division of Corporation Finance issued interpretive guidance providing [its] views concerning operating companies’ disclosure obligations relating to cybersecurity.”[1] In 2018, the Commission issued interpretive guidance to assist public companies in fulfilling their obligation to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”[2] When companies fail to make the required disclosures about cyber risks or inform investors of a cyber incident in a timely manner, the Commission can bring an enforcement action based on existing disclosure obligations.[3] We do not need additional regulations. However, I could have supported a cyber rule designed to guide public companies in their obligation to disclose material cyber risks and material cyber incidents in a way that would be net-beneficial to investors. Today’s rule, by contrast, reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics.
Expansive authority
The Commission’s expansive view of its authority manifests in at least three ways in this release. First, the Commission rejects financial materiality as the touchstone for its disclosures,[4] and fails to offer in its place a meaningful intelligible limit to its disclosure authority.[5] The release explains that Congress gave “the Commission, which regulates dynamic aspects of a market economy,” “intentionally broad” authority to require disclosures on a wide range of matters, even ones that do “not directly relate to a company’s value and financial condition.”[6] “[A]ny new disclosure requirements [need only] be ‘necessary or appropriate in the public interest or for the protection of investors.’”[7] While it is true that we can take actions in the public interest and for the protection of investors, those actions need to relate to our core mission. The release prescribes granular disclosures, which seem designed to better meet the needs of would-be hackers rather than investors’ need for financially material information.[8] The new rule, for example, requires disclosure of detailed information about issuers’ cyber risk management processes and governance and relevant personnel.[9]
Second, the SEC’s potentially non-material risk management and governance disclosures veer into managing companies’ cyber defenses; the new rule looks like a compliance checklist for handling cyber risk, a checklist the SEC is not qualified to write.[10] The Commission proclaims its “indifference” to companies’ cyber practices,[11] and the final rule is slimmer in detail than the proposed rule. Nevertheless, even these pared back disclosures may serve to drive companies to spend resources on compliance with our rules and conformity with other companies’ disclosed practices, instead of on combatting cyber threats as they see fit.[12] Once the SEC can peer into how all public companies handle cybersecurity, the temptation to micromanage their operations will only grow.[13]
Third, the Commission’s expansive view of its authority is reflected in its overly narrow law enforcement exception and general refusal to take into account other cyber disclosure laws. As you have heard, the rules require issuers to file an 8-K to report cybersecurity incidents within four business days after the registrant determines that it has experienced a material cybersecurity incident. The narrow law enforcement exception to the four-day reporting requirement is available only if there is a “substantial risk to national security or public safety” and only with the approval of the U.S. Attorney General.[14] Obtaining approval within four days will be quite a feat.[15] Even if the issuer succeeds, it only gets a thirty-day reprieve from disclosing the incident. The rule makes extensions difficult beyond the initial thirty days.[16] The release dismisses other potential conflicts between the SEC’s new 8-K regime and other state and federal laws by assuming SEC rules take precedence. The final rules make a Federal Communications Commission-related exception to disclosure,[17] but no similar exception applies for breaches of private health information.[18] While the Commission’s responsibility is to ensure that investors receive timely, material information, it sometimes has to defer to other government agencies with overarching mandates to protect national security, public safety, and critical infrastructure.[19]
Harming Investors
Although citing investor protection as its intent,[20] the Commission exhibits little concern for the costs its new rules will impose on investors. A flexible, principles-based approach that allows for disclosures tailored to the issuer making them would be a better way to protect investors. The Commission admits that it is “generally unable to quantify costs related to the final rules due to a lack of data,” including the cost associated with the possibility of increased cyber vulnerabilities because of the disclosures, the cost of preparing disclosures, and how those costs would vary across companies.[21] The release nevertheless dismisses one concrete aggregate cost estimate — up to $523 million initial costs and $308 million annually thereafter as “significantly overstat[ing] the costs of the final rules.”[22] Even if the commenter’s estimate is too high because the rule has been pared back from the proposal, the direct costs of disclosure are likely to be higher than the Commission’s estimated costs, such as the aggregate annual $16 million in professional costs for all affected filers.[23] Costs likely will be disproportionately high (and the benefits may be disproportionately low)[24] for investors in small public companies,[25] for which the Commission has provided only one accommodation — an extra 180 days to comply with the 8-K requirement.[26] The Commission’s compliance timelines are aggressive even for large companies. The S-K disclosures will be required for annual reports for fiscal years ending on or after December 15, 2023, and the 8-K requirements come into force by December 18, 2023.[27] Companies will have only months to align their internal disclosure processes with the new incident reporting requirements. Companies will be expected to make S-K disclosures based on what they are doing this year. Particularly because these disclosures may make companies vulnerable to attack, affording them so little time to plan those disclosures and take steps to mitigate any adverse consequences seems unwise.
A greater concern than direct compliance costs is the potential for the rule to aid cyber criminals. The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them.[28] The 8-K disclosures, which are unprecedented in nature,[29] could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get).[30] The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress.[31] The 8-K disclosures also will signal to other would-be attackers an opportune time to attack.[32] The careful drafting necessary to avert some of these problems will be difficult in the four-day filing timeframe.[33] The release at least acknowledges these possible adverse consequences of the new disclosures.[34]
Even as the new disclosures tip off informed cyber criminals, they might mislead otherwise uninformed investors without first-hand knowledge of cyber attacking. The fast timeline for disclosing cyber incidents could lead to disclosures that are “tentative and unclear, resulting in false positives and mispricing in the market.”[35] The release admits that sometimes a company may not know much more about an incident than that it was material, as commenters highlighted.[36] Investors could overreact to these necessarily vague disclosures, even though a complete assessment would have sparked less concern.[37] Companies may also disclose an incident that is or proves to be non-material,[38] for fear of later SEC admonishment, particularly given the SEC’s warning to companies to err on the side of more disclosure.[39]
While I am not able to vote for this rule, I am thankful to staff across the Commission for their hard work on this release and for talking me through the issues it raises. Their work is always excellent. Among others, I want to thank Mika Morse in the Chair’s office, Luna Bloom and her team in the Division of Corporation Finance, the Division of Economic and Risk Analysis, the Office of General Counsel, and others throughout the Commission.
I do have several questions:
- What assurances do you have that the Attorney General will be able to act in the timeframe we established?
- As one commenter stated: “In the hours and days following a cybersecurity breach, companies must quickly and efficiently contain, minimize, and remedy any damage or loss resulting from the breach. Each of these measures must happen as soon as possible after a breach occurs and with the full attention of the registrant’s resources and management—especially those devoted to cybersecurity. The . . . requirement to publicly report the incident while these actions are ongoing will disrupt these crucial response measures.”[40] Are you concerned that companies in the midst of a cyber-attack will be hindered in their ability to respond by having to alert the attacker about what they know about the attack?
- Are you concerned that the short preparation time for the Form 8-K could result in investors receiving information that is inaccurate?
- The rule defines “cybersecurity incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences.”[41] This language replaces the proposed problematic requirement to aggregate immaterial cybersecurity incidents.[42]
- Will companies, under this new approach, nevertheless have to develop new costly systems to track immaterial events?
- The Commission leaves “related” undefined. How would you explain that term to a company trying to figure out whether to aggregate occurrences for purposes of figuring out whether to file an 8-K?
- “Cybersecurity incident” is defined to include anything that “jeopardizes” information systems. Under this definition, a cybersecurity incident could occur whenever information is merely at risk even if not actually stolen. Won’t companies have difficulty tracking cybersecurity incidents, so broadly defined?
- The Small Business Administration wrote us a letter recommending that we publish a Supplemental Initial Regulatory Flexibility Analysis because the one in the proposing release “lacks essential information,” including which small entities would be affected and adequate consideration of alternatives.[43] Why didn’t we publish a supplemental IRFA?
- One commenter argued that the rules could make companies less nimble in updating cyber policies and procedures because they would have to simultaneously change their regulatory filing.[44] Is this a concern?
- The timelines set forth in the release for coming into compliance with these rules are aggressive. At least one commenter suggested a two-year compliance period, but we are requiring same-year compliance.[45] How is that reasonable?
[1] Release at 5 (citing CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011), https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm).
[2] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 21, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf.
[3] See, e.g., In the Matter of Altaba Inc., Release No. 33-10485 (Apr. 24, 2018), available at http://www.sec.gov/litigation/admin/2018/33-10485.pdf.
[4] Materiality hinges on there being a substantial likelihood that a reasonable investor—i.e., one focused on financial returns—would consider the information important in making an investment decision. See, e.g., TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976).
[5] As one commenter pointed out, this failure could raise separation of powers concerns. See Comment Letter from National Retail Federation at 8-9 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128322-291085.pdf (suggesting “serious concerns” that the Securities Act and Exchange Act violate the non-delegation doctrine if the Acts “delegate[] limitless authority for the SEC to require public disclosures on any
topic it deems in the ‘public interest’ or as ‘protecting investors.’”).
[6] Release at 100, 107 (citations omitted). See also id. at 101 (“The Commission has long relied on the broad authority in these and other statutory provisions to prescribe rules to ensure that the public company disclosure regime provides investors with the information they need to make informed investment and voting decisions, in each case as necessary or appropriate in the public interest or for the protection of investors.”) (citations omitted).
[7] Release at text accompanying n.407.
[8] See, e.g., 17 CFR §229.106(c)(2)(i) (requiring companies to disclose the “relevant expertise” of persons who manage cybersecurity risk “in such detail as necessary to fully describe the nature of the expertise.”); 17 CFR §229.106(c)(2)(ii) (requiring companies to disclose “[t]he processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents”); Form 8-K, Item 1.05 (requiring a company that “experiences a cybersecurity incident that is determined by the registrant to be material, [to] describe the material aspects” of the cybersecurity incident within four business days of the materiality determination).
[9] In addition to the items listed in supra note 8, companies must disclose “processes, if any, for assessing, identifying, and managing material risks . . . in sufficient detail for a reasonable investor to understand those processes.” 17 CFR §229.106(b)(1). Further, companies must disclose their use of “assessors, consultants, auditors, or other third parties,” and processes for monitoring threats from “third-party service provider[s].” 17 CFR §229.106(b)(1). Companies also must disclose how cybersecurity threats have materially changed how they run the company and how both their board and management handle cybersecurity threats. 17 CFR §229.106(b)(2), (c)(1), and (c)(2). Companies must further identify management positions or committees that handle cybersecurity and how they keep a company’s board informed. 17 CFR §229.106(c)(2).
[10] See Comment Letter from U.S. Chamber of Commerce (“Chamber”) at 26 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128398-291304.pdf (“According to some government officials and industry professionals, the proposed rule’s governance disclosure requirements ‘embody an unprecedented micromanagement’ by the SEC pertaining to the composition and functioning of both the management and the boards of companies. . . . It is hard to avoid the conclusion that the Commission is trying to stipulate that companies take specific cybersecurity actions. The SEC should not use its disclosure rules to prescriptively influence company activity in this regard; nor should it overstep its disclosure authority. The Commission would be granting itself additional authority to push companies on how they should operate their cybersecurity programs. The Commission should not require disclosures designed to unduly influence company behavior where it does not have such expertise.”).
[11] Release at 107 (“The final rules are indifferent as to whether and to what degree a registrant may have identified and chosen to manage a cybersecurity risk.”).
[12] See Comment Letter from NYSE Group, Inc. at 2 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128356-291125.pdf (“[M]any public companies have already developed robust cybersecurity policies and procedures that enable them to manage risks unique to their businesses and make required disclosures consistent with previous Commission guidance. The NYSE is concerned that the Proposal’s disclosure requirements could result in the creation of de facto minimum standards that . . . constrain management’s ability to address cybersecurity risks in a manner most suitable for their business. . . . [For example w]hen formulating a cybersecurity risk management plan, the Exchange worries that the prescriptive requirements of proposed Item 106 may lead to corporate decision making that is driven in greater part by a desire to fit within perceived norms than by what makes sense organizationally.”); Comment Letter from Dr. Jayanthi Sunder, Dr. Isabel Wang, Dr. John Jiang, and Dr. Musaib Ashraf, The University of Arizona and Michigan State University at 3 (May 8, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128266-290115.pdf (“Ashraf (2021) studies how greater SEC guidance on cybersecurity risk factors impacts the structure of these risk factor disclosures. He documents herding behavior: after the SEC’s 2011 cyber risk disclosure guidance, firms issued less unique cybersecurity risk factors and started issuing risk factors that more closely match the wording of the SEC’s 2011 guidance. He also finds that shareholders find more unique (not boilerplate) cybersecurity risk factor disclosures to be more informative. . . . If the SEC issues further guidance on how firms should disclose cybersecurity risk factors, the findings of Ashraf (2021) suggests that firms will herd towards what the firms think the SEC wants them to disclose rather than disclosing risk factors that appropriately represent a firm’s cybersecurity risk.”) (citing https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3807487); see also Comment Letter from SIFMA at 7 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128347-291108.pdf (“[R]equiring excessive or specified granular detail could make for misleading or unhelpful boilerplate.”); Comment Letter from Jerry Perullo at 11 (May 4, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20127883-289397.pdf (“[F]orcing [smaller firms] to implement policies [by requiring the disclosure items under Item 106] is likely to drive them into downloading reams of boilerplate policy that is not reflective of culture and practices.”) (emphasis omitted).
[13] For example, in the recent Activision Blizzard Inc. settlement, the SEC leveraged the Exchange Act’s requirement to have “disclosure controls and procedures” to criticize a company for its poor response to workplace misconduct. See https://www.sec.gov/news/statement/peirce-statement-activision-blizzard-020323.
[14] Other local or federal agencies might have a greater interest in non-disclosure. The charge of the Cybersecurity and Infrastructure Security Agency (“CISA”), for example, is to “understand, manage, and reduce risk to our cyber and physical infrastructure” and “defend and secure cyberspace by leading national efforts to drive and enable effective national cyber defense, resilience of national critical functions, and a robust technology ecosystem.” https://www.cisa.gov/about. See also Comment Letter from Bank Policy Institute et al. (“BPI et al.”) at 13 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128336-291093.pdf (“[W]e believe the Proposed Rules should provide for delayed disclosure at the request of CISA in limited circumstances to support CISA’s critical responsibility to ‘coordinate[] the execution of our national cyber defense, lead[] asset response for significant cyber incidents and ensure[] that timely and actionable information is shared across federal and non-federal and private sector partners.’”) (quoting Cybersecurity & Infrastructure Security Agency, About CISA, https://web.archive.org/web/20220510182532/https://www.cisa.gov/about-cisa).
[15] See Comment Letter from Society for Corporate Governance at 10 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20129132-295036.pdf (“Given the four-business day Form 8-K deadline after determining materiality, we believe it would be impossible to obtain such a written national security determination from the Attorney General or other high-level agency officials in advance of that deadline.”).
[16] The final rules allow an initial delay of thirty days, followed by a possible thirty-day extension, and then, only in “extraordinary circumstances,” another sixty-day delay. Form 8-K, Item 1.05(c). Additional extensions require a Commission exemptive order.
[17] Form 8-K, Item 1.05(d).
[18] The Health Insurance Portability and Accountability Act (“HIPAA”) requires breached companies to delay notifying affected individuals and media upon the written request of “a law enforcement official” for a period specified by the official. 45 CFR § 164.412. The SEC’s law enforcement exception differs with respect to the length of the reporting delay, which type of law enforcement official can authorize a delay, and the permissible grounds for delay. The Commission argues that the HIPAA notifications focus on affected individuals and the media, not investors. See Release at 44-45. An 8-K disclosure, of course, could have the effect of informing individuals and the media of a breach. One purpose of a law enforcement exception is to give law enforcement the time and space to identify those behind the breach, which could be undermined by the 8-K filing. See also Comment Letter from Confidentiality Coalition at 2 (May 5, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128294-291029.pdf (“HIPAA allows for a reporting delay if a law enforcement official indicates that a notification, notice, or posting required under HIPAA would impede a criminal investigation or result in harm to national security. Here, the proposed rule fails to provide any reporting delay when there is an ongoing investigation of a cybersecurity incident. Failing to recognize a delay for notification by law enforcement will undermine HIPAA, and increase risk to the registrant, the overall healthcare industry, impacted individuals, state and/or federal investigations, and national security.”).
[19] Congress recently passed the Cyber Incident Reporting for Critical Infrastructure (“CIRCIA”) Act, which requires a “critical infrastructure” company to report to CISA any “substantial cyber incident” within 72 hours after it “reasonably believes that the covered cyber incident has occurred.” Cyber Incident Reporting for Critical Infrastructure Act of the 2022 Consolidated Appropriations Act, Pub. L. No. 117-103, div. Y, https://www.congress.gov/bill/117th-congress/house-bill/2471/text. CISA then distributes threat information to relevant parties. 6 U.S.C. § 681e(a)(2)(A). An 8-K filing could interfere with CISA’s ability to control how, when, and to whom the information is conveyed and thus undermine CISA’s “ability to coordinate and disseminate threat indicators and defensive measures in time for others to act on the information.” Letter from BPI et al. at 13. CIRCIA included a “cyber incident reporting council [of which the SEC is a member] ‘to coordinate, deconflict, and harmonize Federal incident reporting requirements . . . .’” Cyber Incident Reporting for Critical Infrastructure Act § 2246(a). (“The Secretary shall lead an intergovernmental Cyber Incident Reporting Council, in consultation with the Director of the Office of Management and Budget, the Attorney General, the National Cyber Director, Sector Risk Management Agencies, and other appropriate Federal agencies, to coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations.”). Rather than harmonizing with CISA, the agency with a statutorily mandated rulemaking process, the SEC is barreling ahead without a congressional mandate for its compressed rulemaking timeline.
[20] See, e.g., Release at 13 (“Overall, we remain persuaded that, as detailed in the Proposing Release: under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government . . . will not effectuate the level of public cybersecurity disclosure needed by investors in public companies.”) (emphasis added).
[21] Release at 140.
[22] Letter from Chamber at 8 (“[T]otal initial yearly costs [likely could be] $317.5M to $523.4M ($38,690 to $69,151 per regulated company), and future annual costs of $184.8M to $308.1M ($22,300 to $37, 500 per company) . . . .”).
[23] Release at 157, PRA Table 3.
[24] Comment Letter from Biotechnology Innovation Organization (“BIO”) at 14 (May 5, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128401-291312.pdf (“[S]mall companies are seldom targets of cybercriminals but will see the most severe direct and indirect costs associated with complying with the rule and increases in their costs of capital.”).
[25] Release at 144 (“The compliance costs of the final rules could be disproportionately burdensome to smaller registrants, as some of these costs may have a fixed component that does not scale with the size of the registrant. Also, smaller registrants may have fewer resources with which to implement these changes.”) (citations omitted). See also Letter from BIO at 14 (“The median employee count for BIO’s members is 19. This includes executives and R&D personnel, such as researchers and lab technicians. These small biotechnology companies do not have the capacity, nor the business need, to have institutional structures related to the management, planning, oversight, and maintenance of cybersecurity related systems and suppliers. These companies should not have to hire extra employees specifically for the purposes of implementing cybersecurity related programs when their main focus for raising capital is to advance research and development of products whose intellectual property is easily searchable in patent libraries.”).
[26] Release at 144. Our Office of the Advocate for Small Business Capital Formation noted with concern the absence of tailoring for small companies in the proposal. See Office of the Advocate for Small Business Capital Formation, Annual Report: Fiscal Year 2022 at note 273 and accompanying text, SEC (Dec. 2022), https://www.sec.gov/files/2022-oasb-annual-report.pdf.
[27] Release at 108. The release delays compliance with the XBRL requirement by one year. Id. at 109.
[28] See, e.g., Comment Letter from Energy Infrastructure Council at 8 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128379-291282.pdf (“The Proposal will likely lead to registrants disclosing granular and specific details about cybersecurity incidents as well as overly detailed information regarding their cybersecurity governance. Accordingly, the Proposal may provide threat actors with a ‘roadmap’ to potential vulnerabilities in registrant’s cyber controls and associate information systems. Prior to engaging with a target, threat actors will often use open-source intelligence (OSINT) to learn more about their target. We can foresee threat actors using SEC disclosures to target registrants they perceive to have unsophisticated cybersecurity programs. For instance, a threat actor may target a registrant that disclosed that it is in the process of implementing cybersecurity policies and procedures, or a registrant that disclosed that its chief information security officer unexpectedly quit, and the position is currently vacant. Additionally, threat actors may target cybersecurity-related personnel that are named in a registrant’s disclosures.”) (citations omitted) (emphasis added); See Letter from National Retail Federation at 11 (“The proposal’s requirement to disclose policies and procedures to manage cybersecurity risks may highlight company vulnerabilities that could be exploited by cyber criminals or competition. . . . It is undoubtably [sic] important for companies to maintain such policies and procedures. Yet it is equally important for them to remain nimble and able to address quickly emerging threats and trends. The level of detail required by the proposal would allow cybercriminals to search for and exploit vulnerabilities in those policies and procedures and prevent the degree of flexibility companies need to change practices and procedures as threats emerge.”).
[29] Comment Letter from LTSE Services, Inc. at 2-3 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20129163-295059.pdf (“Unlike the typical Form 8-K event like a change in auditors, or resignation or appointment of a new director or officer, which is an event that is defined in time and largely determined by the company or a director or officer of the company, the determination of the occurrence of a material cybersecurity event is based on facts and circumstances largely out of the control of the company.”); Comment Letter from Debevoise at 2 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128351-291117.pdf (“Items required to be disclosed under current Form 8-K generally: (i) relate to events within a registrant’s control; (ii) events with respect to which a registrant has some advance warning or awareness; and/or (iii) events that are influenced by a registrant’s volitional acts; whereas proposed Item 1.05 would require disclosure of an event that is at its core a matter of registrant reactivity.”); Comment Letter from Energy Infrastructure Council at 7-8 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128379-291282.pdf (“Cybersecurity incidents are fundamentally different from the types of events covered by existing Form 8-K rules. Mandatory Form 8-K triggers generally cover discrete, clearly identifiable events relating to a company’s material transactions, governance or financial position. The occurrence and timing of most 8-K triggers are typically either within the control of the company or reasonably predictable. As acknowledged by the Commission in 2004, reporting on 8-K is intended for ‘unquestionably or presumptively material events.’ Conversely, a cybersecurity attack is by its nature operational, largely outside the company’s control and unpredictable, and certainly not ‘unquestionably or presumptively material.’ . . . Existing rules already require companies to apprise investors of a material operational issue, including a material cybersecurity event. A specific, mandatory 8-K trigger for cybersecurity events inappropriately extends the coverage of Form 8-K to the realm of operational developments, which are more appropriately disclosed in periodic reports or voluntary Forms 8-K, at a point when the information is more fully developed and impacts are better understood.”) (citing 17 C.F.R § 228, 229, 230, 239, 240 and 249 (2004)).
[30] Comment Letter from Senator Portman at 3-4 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128391-291294.pdf (“Forcing companies to disclose cyber incidents publicly and before they have a complete understanding of those incidents, mitigate the damage and vulnerabilities, and contain malicious actors presents significant security risks. Nefarious cyber actors—both criminal organizations and nation state actors—are adept at collecting intelligence on their victims and leveraging that information in their attacks and ransomware negotiations. Requiring the disclosure of information on ongoing incidents may allow hackers to identify the ‘crown jewels’ or most valuable information held by an organization amongst vast quantities of data. It could also help attackers improve targeting, gain additional access, effect further damage, and, in the case of ransomware, demand larger ransoms.”) (citations omitted); Comment Letter from Canadian Banker Association (“CBA”) at 6 (May 5, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128288-290991.pdf (“[T]he Proposed Rules may potentially require such service providers to publicly disclose an ongoing and unremediated cyberattack. Such premature disclosure would inhibit the service provider’s ability to respond and could enable bad actors to use the service provider as a vector to attack its customers before the service provider or its customers have had a chance to take remedial measures to mitigate harm.”); see also Letter from Senator Portman at 4 (“[I]f the method of attack is novel involving a ‘zero day’ vulnerability for which no patch exists yet, other organizations which use the vulnerable system or software will also be exposed to attack.”).
[31] Form 8-K Instructions to Item 1.05 (2) (“To the extent that the information called for in Item 1.05(a) is not determined or is unavailable at the time of the required filing, the registrant shall include a statement to this effect in the filing and then must file an amendment to its Form 8-K filing under this Item 1.05 containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.”).
[32] Comment Letter from Rapid7 at 3 (August 29, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20137661-308069.pdf (“Publicly disclosing 'the nature and scope' of material incidents within four business days risks exposing enough detail of an otherwise unique zero-day vulnerability to encourage rediscovery and reimplementation by other criminal and espionage groups against other organizations.”); Letter from Sen. Portman at 4 (“[I]f the method of attack is novel involving a 'zero day' vulnerability for which no patch exists yet, other organizations which use the vulnerable system or software will also be exposed to attack.”); Letter from CBA at 6 (“[T]he Proposed Rules may potentially require such service providers to publicly disclose an ongoing and unremediated cyberattack. Such premature disclosure would inhibit the service provider’s ability to respond and could enable bad actors to use the service provider as a vector to attack its customers before the service provider or its customers have had a chance to take remedial measures to mitigate harm.”); Letter from Rapid7 at 3 (“Announcing that a company has an incident may cause other attackers to probe the company and discover the vulnerability or attack vector from the original incident. If the incident is not yet mitigated, the copycat attackers can cause further harm to the company and its investors. From the CERT Guide to Coordinated Disclosure: ‘[M]ere knowledge of a vulnerability's existence in a feature of some product is sufficient for a skillful person to discover it for themselves. Rumor of a vulnerability draws attention from knowledgeable people with vulnerability finding skills[.]’”) (citing CERT, Guide to Coordinated Vulnerability Disclosure, 5.7 Disclosure Timing, Sep. 16, 2019,
https://vuls.cert.org/confluence/display/CVD/5.7+Disclosure+Timing#id-5.7DisclosureTiming-ReleasingPartialInf
ormationCanHelpAdversaries); Letter from Sen. Portman at 4 (“If the registrant is required to disclose an incident before completing remediation of the vulnerability by which an attacker gained access, other opportunistic attackers may identify and exploit the vulnerability to perpetrate further cyberattacks against the registrant.”).
[33] Comment Letter from Quest Diagnostics at 3 (May 9, 2023), https://www.sec.gov/comments/s7-09-22/s70922-20128257-290053.pdf (“Moreover, even if a company believes that a cybersecurity event is material, four business days is insufficient for companies to conduct the necessary investigations to collect the information required by Item 1.05, particularly given the need to engage with internal and external experts. This timeframe seeks to rush out disclosures related to cybersecurity matters without taking into account the circumstances surrounding, and the magnitude and complexity of, any given cybersecurity incident.”).
[34] See, e.g., Release at 136 (“[T]he disclosure about cybersecurity incidents and cybersecurity risk management, strategy, and governance could potentially increase the vulnerability of registrants. Since the issuance of the 2011 Staff Guidance, concerns have been raised that providing detailed disclosures of cybersecurity incidents could, potentially, provide a road map for future attacks, and, if the underlying security issues are not completely resolved, could exacerbate the ongoing attack. The concern is that malicious actors could use the disclosures to potentially gain insights into a registrant’s practices on cybersecurity. As a result, the final incident disclosure rules could potentially impose costs on registrants and their investors, if, for example, additional threat actors steal more data or hamper breach resolution.”) (citations omitted); Release at 33 (“While there may be, as commenters noted, some residual risk of the disclosure of an incident’s existence tipping off threat actors, such risk is justified, in our view, by investors’ need for timely information, and similar risk already exists today with some companies’ current cybersecurity incident disclosure practices.”).
[35] Id. at 33. The full context of this quotation is the argument that “[t]he reformulation of Item 1.05 also addresses the concern among commenters that the disclosure may be tentative and unclear, resulting in false positives and mispricing in the market.” Id. I am unpersuaded.
[36] Id. at 37-38 (“For example, for incidents that impact key systems and information, such as those the company considers its ‘crown jewels,’ as well as incidents involving unauthorized access to or exfiltration of large quantities of particularly important data, a company may not have complete information about the incident but may know enough about the incident to determine whether the incident was material. In other words, a company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality.”) (emphasis added). See also Comment Letter from Wilson Sonsini at 3 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128337-291094.pdf (“[T]here is a risk that disclosures that are rushed may be too broad and generic or, even more problematic, incomplete, inaccurate and potentially misleading.”); Comment Letter from Davis Polk at 1 (May 6, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128282-290896.pdf (“[W]e expect that registrants will be inclined to report as soon as possible without the benefit of a considered analysis of the impact of the incident on the registrant in light of all of the relevant facts and circumstances giving rise to the event, which may not be known for some time.”); Comment Letter from Debevoise at 2 (“[I]n the aftermath of discovery of a cybersecurity incident: (i) a registrant’s information gathering may be hampered in the midst of, or by, the incident; (ii) information about the incident available to the registrant may be incomplete or inconclusive; and (iii) a registrant’s internal management and compliance resources may be under significant strain.”).
[37] See Letter from Davis Polk at 1-2 (“[T]his could lead to investor confusion and the mispricing of the registrant’s securities. The fact that registrants could update their disclosure in subsequent reports . . . will be cold comfort to those investors who may suffer a loss as a result of the mispricing of the registrant’s securities following the initial report.”); see also Comment Letter from American Bar Association at 2 (July 20, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20134430-304137.pdf (“Premature disclosure will cause investors more harm than good because they will be making decisions based on information that is often incomplete or inaccurate and without the full context of updated disclosures of other aspects of the company’s operations.”); Comment Letter from Business Roundtable at 3 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128429-291372.pdf (“Disclosure before determining the nature and magnitude of information accessed (even when enough is known to reasonably expect the incident is material) will also lead to questions the registrant is incapable of answering, leading to additional risks and reputational harm. The confusion and uninformed market speculation resulting from such disclosure will force the registrant to deal with harmful volatility in its stock while trying to manage through the cyber incident.”). The Commission could have resolved this issue by explicitly clarifying that Item 1.05 “only requires issuers to disclose information that is known with a high degree of confidence and is unlikely to change.” Letter from American Investment Council at 5 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128346-291107.pdf.
[38] A 2022 study of 1200 large companies worldwide found that less than 1% of cybersecurity breaches are material. In 2021, companies experienced an average of 26.2 cybersecurity incidents per firm, an average of 0.82 of which were material. ThoughtLab, Cybersecurity Solutions for a Risker World at 14, https://thoughtlabgroup.com/wp-content/uploads/2022/05/Cybersecurity-Solutions-for-a-Riskier-World-eBook_FINAL-2-1.pdf. The study defined material breaches as “those generating a large loss, compromising many records, or having a significant impact on business operations.” Id. at 10. 17% of companies in the study were based in the U.S. Id. at 4. See also Comment Letter from Internet Security Alliance at 13-14 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128395-291300.pdf (“For example, a 2022 study of 1,200 large companies by ThoughtLab found the percentage of breaches that were ‘material’ (defined as ‘generating a large loss, compromising many records, or having a significant impact on business operations’) was less than 1% of all breaches – .07 % in 2021 and .08% in 2022.”).
[39] Release at 15 (noting that “‘[d]oubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors”) (quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. at 448); See also Letter from American Bar Association at 3 (“[I]nclusion of such an instruction would put pressure on a company to draw conclusions about materiality in the immediate aftermath of an incident with incomplete information in order to avoid any claim that the company could or should have known that the incident was material sooner.”).
[40] See, e.g., Comment Letter from American Petroleum Institute et al. at 7 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128380-291283.pdf.
[41] See Form 8-K Instructions to Item 1.05 (3) (“The definition of the term ‘cybersecurity incident’ in 17 CFR §229.106(a) [Item 106(a) of Regulation S-K] applies to this Item.”); see also Item 106(a) of Regulation S-K (“Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”).
[42] Proposed Regulation S-K Item 106(d)(2).
[43] Comment Letter from U.S. Small Business Administration Office of Advocacy at 1 (May 6, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128275-290621.pdf.
[44] Letter from National Retail Federation at 11 (“The proposal’s requirement to disclose policies and procedures to manage cybersecurity risks may highlight company vulnerabilities that could be exploited by cyber criminals or competition. . . . It is undoubtably [sic] important for companies to maintain such policies and procedures. Yet it is equally important for them to remain nimble and able to address quickly emerging threats and trends. The level of detail required by the proposal would allow cybercriminals to search for and exploit vulnerabilities in those policies and procedures and prevent the degree of flexibility companies need to change practices and procedures as threats emerge.”).
[45] Comment Letter from Federated Hermes at 4 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128260-290075.pdf (“[W]e believe that the Commission should provide a reasonable transition period that will give registrants sufficient time to comply with the final rules’ requirements. We recommend a minimum compliance period of at least 24 months, should the Proposal be adopted substantially as proposed.”).
Last Reviewed or Updated: July 26, 2023