Key Point: Drafting the material cybersecurity risks disclosures in registrants’ annual reports will require careful planning to avoid giving malicious cyber actors a blueprint of the corporate network.

Part I of this blog series discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures. In Part II, we offer ideas for preparing the disclosure required in the registrant’s annual report about the registrant’s material cybersecurity risks and the governance structure used to assess and manage these risks.

Item 106 of Regulation S-K, encoded at 17 CFR 229.106(b), requires each registrant to provide detailed disclosures in its Annual Report on Form 10-K of the company’s cybersecurity risk management process, to include “assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” 17 C.F.R. § 226.106(b)(1). The disclosure should address factors including but not limited to:

  • whether the cybersecurity risk processes have been integrated into the company’s overall risk management system/process;[1]
  • whether the registrant engages assessors, consultants, auditors or other third-parties to assist with the cybersecurity risk processes; and
  • whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

17 C.F.R. § 226.106(b)(1)(i)-(iii).

The annual report must also disclose “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, its business strategy, results of operations or financial condition, and if so how.” 17 C.F.R. § 226.106(b)(2).

From a corporate governance standpoint, the annual report must also disclose the Board of Directors’ oversight of risks from cybersecurity threats, the committees or subcommittees responsible for this oversight, and the processes for informing the Board or applicable committee of these risks. 17 C.F.R. § 226.106(c)(1).

At the corporate management level, the annual report must disclose management’s role in assessing and managing the registrant’s material risks from cybersecurity threats, to include the management positions or committees responsible for assessing such risks and fully describe the relevant expertise of such persons or members.[2] The disclosure of management’s role should also include the processes by which such persons or committees are informed and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and inform the Board of such risks. 17 C.F.R. § 226.106(c)(2).

The instructions to Item 106(c) state that examples of relevant management expertise for purposes of Item 106(c)(2) may include: prior work experience in cybersecurity; any relevant degrees or certifications; and any knowledge, skills, or other background in cybersecurity. 88 Fed. Reg. 51942.

In the adopting release, the SEC recognized that the advancements in artificial intelligence can increase the harm from cyber incidents and quantum computing may render existing encryption methods obsolete. 88 Fed. Reg 51898. Yet in the same document, the SEC is requiring the likely victims of cyberattacks to be open and transparent with their defensive efforts for the world, and prospective attackers, to see.

The SEC states that the governance disclosure requirements in the final rules were streamlined from those contemplated in the proposed rules. Nevertheless, the specificity called for in these disclosures, which will be publicly available, not only inform investors of the registrants’ processes, but will also inform intelligence agencies in adversary nations, organized crime rings and motivated individuals of the companies’ strengths and weaknesses regarding cybersecurity. For comparisons sake, in the physical domain, the SEC does not require a bank to publicly disclose the blueprints of its vault to allow investors to make informed decisions, but here the SEC has created an environment where malicious cyber actors will have access to the company playbook “before game day.” These requirements will complicate existing compliance burdens and increase the risks of enforcement actions and litigation for registrants.

Just as Federal Trade Commission enforcement actions will use the assertions in a company’s privacy notice against it following a data breach, the SEC’s Division of Enforcement (the “Division”) and private litigants will use a registrant’s representations in its disclosures as potential bases for liability. In fact, the Division has already shown a willingness to charge violations of the disclosure controls and procedures provisions under the federal securities laws to hold companies liable in connection with cybersecurity incidents. The additional disclosure requirements of Items 106 of Regulation S-K present risks that the Division will utilize such provisions to penalize companies after they have been the victims of a material cybersecurity incident.

For these reasons, disclosures about a registrant’s processes for assessing, identifying, and managing material cybersecurity risks must be the result of thoughtful planning, with an appreciation for the possibility that malicious cyber actors will read them. To justify the contents of the disclosures, registrants will need to create and maintain internal records that ‘show the work’ to demonstrate that directors and management were in fact overseeing and evaluating the risks from cybersecurity threats, and that their responses to those threats were reasonable.

Suggestion 4: When preparing the cybersecurity risk management process, registrants would be wise to provide a level of detail that is consistent with other risks that are contained in the annual report. To the extent that a registrant has provided its insurance carriers with disclosures of material risks, the level of specificity used in those insurance disclosures could be a valid starting point.

Suggestion 5: Registrants should maintain in their records the details that led to a decision to disclose material risks and the reasons why other risks were determined to be non-material. From an enforcement standpoint, internal records that show a risk was identified and evaluated offer the company a defensible position with a subjective materiality standard. In contrast, the absence of any records involving risk assessments may imply there were no assessments made.

Suggestion 6: The requirement to disclose the relevant cybersecurity expertise of management personnel may trigger changes to the subsequent annual report if cybersecurity experts leave the company. In light of the high job demand for cybersecurity personnel, registrants should evaluate the training and qualification programs for their cybersecurity staff, to avoid being overly dependent on the skill set of one or two individuals.

As noted in Part I of this series, the SEC defined information systems to include systems “used by” the registrant to include systems owned by third-parties, and the focus of each registrant’s risk assessment should be based upon the potential or actual impact on the registrant, not where the system is located or its ownership. 88 Fed. Reg. 51917. The SEC’s intentions require registrants to actively monitor service providers and vendors because their outages or vulnerabilities can trigger a material risk for registrants.

Suggestion 7: As a long-term goal, registrants’ procurement departments should review or revise their service provider and vendor management programs and the related agreements to require prompt notification of cyber incidents, outages, and software vulnerabilities. When a cybersecurity incident occurs at a third-party vendor, public companies may have difficulty obtaining timely information or obtaining sufficient details to make a materiality determination or disclose all the information required by Item 1.05 of Form 8-K. While the SEC admits registrants have limited visibility into third-party systems, registrants are expected to disclose material risks and incidents based on information known to them.[3] Hence, registrants should ensure they have effective communication protocols in place with third-party service providers to facilitate timely assessment and disclosure. To reduce some of this risk, public companies (and companies considering becoming public companies) may want to reassess their cybersecurity and data privacy risks associated with their vendor management programs. This may include conducting due diligence reviews and cybersecurity audits, including whether the vendors complied with the applicable contract provisions to provide timely and detailed cyber incident reporting, or even reconsidering the mix of internal and outsourced information technology systems.

Suggestion 8: Companies should be aware of the possible consequences for future litigation that may arise from Item 106(b)(1)(ii)’s requirement to describe the engagement of assessors, consultants, auditors or other third-parties in connection with the cybersecurity risk management processes. Although every victim of a cybersecurity incident wants the incident response to be protected under attorney-client and work product privileges, federal magistrates and judges have weakened those protections for cyber incident response investigations in recent years.[4] The SEC’s requirement that registrants disclose the role of third-parties in the risk management and strategy processes of material cybersecurity risks will likely weaken those protections even more.

In Part III we will discuss ideas for disclosing material cybersecurity incident within the SEC’s timeline.

[1] In a notable departure from the proposed rules, the adopting release will not require disclosure as to whether and how the Board integrates cybersecurity into its business strategy, risk management and financial oversight function, the frequency of Board discussions on cybersecurity, and whether directors have expertise in cybersecurity. However, the adopting release noted that, depending on context, some registrants’ descriptions of the processes by which their Board or relevant committee is informed about cybersecurity risks may include the frequency of Board or committee discussions.

[2] While registrants will be required to disclose the expertise of the persons on such management committees or in such positions that are responsible for oversight of cybersecurity risks, the adopting release removed the proposed requirement for registrants to identify any director who has expertise in cybersecurity and identify the nature of that expertise.

 [3] The SEC did not exempt registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, but, consistent with SEC rules regarding disclosure of information that is difficult to obtain, the final rules “generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers.” Therefore, to the extent that information regarding third-party systems is available to a registrant or could be obtained without unreasonable effort or expense (e.g., pursuant to contractual rights), it appears that registrants would be required to disclose that information.

[4] See e.g. In re: Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. 2020); Guo Wengui v. Clark Hill PLC, 338 F.R.D. 7 (D.D.C. 2021); In re: Rutter’s Data Security Breach Litigation, 2021 WL 3733137 (M.D. Pa. 2021).