According to its Spring 2023 rulemaking agenda, the U.S. Securities and Exchange Commission (SEC) has delayed issuance of two sets of cybersecurity requirements that previously were expected to be finalized in April 2023. The SEC's proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and its proposed rule on Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies now are scheduled to be finalized by October 2023 at the earliest.
Three other sets of proposed requirements—amendments to Reg S-P on safeguarding customer information, amendments to Reg SCI on cybersecurity and IT resilience (among other things) for "SCI entities," and a new Cybersecurity Risk Management Rule for broker-dealers, clearing agencies and other SEC-regulated entities—now are slated for April 2024.
Proposed Cybersecurity Rule for Public Companies
The SEC proposed requirements for cybersecurity risk management, governance, and incident disclosure for public companies in March 2022 (we discussed the proposed rule in depth here). This rule would require public companies to disclose information about boards of directors' oversight of cybersecurity risk, individual board members' cybersecurity expertise, and the role of management in addressing cybersecurity risk, among other aspects of companies' cybersecurity risk management programs. In addition, public companies would be required to report material cybersecurity incidents within four business days. Not surprisingly, the four-day disclosure requirement has garnered the most attention in public comments on the proposed rule submitted to the SEC (and generally).
Cyber Incident Disclosure
Under the proposed rule, public companies would be required to report "material cybersecurity incidents" via Form 8-K (i.e., a type of immediate disclosure companies are required to file for specific types of events the SEC determined are too time-sensitive to wait for quarterly or annual filings). The amended Form 8-K would require public companies to disclose the following information about a material cyber incident, to the extent known at the time of filing:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company's operations; and
- Whether the company has remediated or is currently remediating the incident.
The proposed rule defines a "cybersecurity incident" very broadly, as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The SEC states that incidents "should be construed broadly and may result from any one or more of the following: an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches." Under this definition, public companies could be required to report certain attempts to compromise data and to do so even before applicable vulnerabilities had been addressed, even if no actual compromise of data has occurred.
The four-business-day notification deadline would start running on the date the company determines that a cyber incident was material, not the date the incident is discovered (as is typically the case under incident reporting rules). Companies would need to determine whether an incident is material "as soon as reasonably practicable after discovery of the incident." The SEC stated in the proposed rule that the materiality of a cyber incident depends primarily on whether "there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available" (internal quotations omitted). The SEC states further that materiality cannot be determined based solely on a quantitative analysis (e.g., based on a loss of share value or lost revenue) but, rather, must consider both quantitative and qualitative factors from the perspective of a reasonable investor: "[W]hen a cybersecurity incident occurs, registrants would need to carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor's perspective based on the total mix of information." According to the SEC, doubts should be resolved in favor of disclosing a cyber incident as material.
The breadth of the proposed rule's definition of a cybersecurity incident, coupled with the four-business-day disclosure requirement, has drawn significant criticism from various commenters. For example, NASDAQ stated in its public comments that the disclosure requirement runs the risk of interfering with a public company's primary obligation which is to remediate a cybersecurity incident. In addition, NASDAQ stated that four days was an insufficient amount of time to fully understand and grasp the nature and scope of a cybersecurity breach, let alone its potential impact. Similarly, the Atlantic Council commented that the proposed rule contains "no exceptions for ongoing incidents, nor for preventing potential interference in an active law enforcement investigation" and "could result in attacker behaviors designed to inflict additional harm to investors, such as attack escalation (e.g., more aggressive exfiltration of data) and anti-forensic activity (e.g., deleting activity logs)."
Numerous commenters also highlighted the potential duplication and conflict that may arise between the proposed SEC reporting requirements and proposed reporting requirements under the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), among other reporting requirements. Under CIRCIA and forthcoming regulations from the Cybersecurity & Infrastructure Security Agency (CISA), critical infrastructure operators will be required to report to CISA a covered cyber incident "not later than 72 hours" after a covered entity "reasonably believes that the covered cyber incident has occurred" (we discuss CIRCIA and the forthcoming CISA regulations here).
Risk Management, Strategy and Governance Disclosures
While the four-business-day disclosure requirement has drawn most of the public attention, the proposed rule also contains significant disclosure requirements related to public companies' cyber governance and risk management. The proposed rule would require companies to describe their policies and procedures, if they have any, for identifying and managing cybersecurity risks, including those risks related to business operations, intellectual property theft, fraud, extortion, harm to employees or consumers, violations of privacy laws, and the registrant's reputation.
The proposed rule would also require registrants to disclose how their boards of directors oversee company cybersecurity risk management. For example, the proposed rule would require disclosure of whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks and whether consideration of cybersecurity risks is part of the company's business strategy, risk management, and financial oversight.
In addition, the proposed rule would require companies to disclose management's role in assessing cybersecurity risks and implementing the companies' policies. For example, the proposed rule would require disclosure of whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members.
Proposed Cybersecurity Rule for RIAs and Funds
The SEC originally proposed a rule for cybersecurity risk management for registered investment advisors (RIAs) and funds in February 2022 (we discussed this proposed rule here). If that rule is adopted, RIAs and other similar entities – including registered investment companies and closed-end funds that elected to be treated as business development companies – would be required to implement comprehensive cybersecurity policies and procedures, conduct and document risk assessments, implement access controls, monitor and remediate vulnerabilities, and detect, respond to, and report cybersecurity incidents. In addition, covered RIAs and funds would be required to report "significant cybersecurity incidents" to the SEC within 48 hours. A "significant cybersecurity incident" is defined in the proposed rule as any incident that "significantly disrupts or degrades [a firm's] ability to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed."
Once written cybersecurity policies and procedures are in place, the proposed rule would require advisors to conduct an annual review and issue a written report assessing the design and effectiveness of their cybersecurity compliance program. The proposed rule would also require an entity's board of directors, including a majority of its independent directors, to review and approve the policies and procedures, as well as review the annual written report. In addition, the proposed rule would impose various recordkeeping requirements for documents related to the firm's compliance program, incident management, and board notification.
Proposed Amendments to Reg S-P and Reg SCI; Proposed Rule 10
In addition to the cyber rules for public companies and RIAs and funds proposed in 2023, the SEC voted in March 2023 to propose a trio of additional requirements for data security, cybersecurity and operational resilience (we discussed the three proposed rules here). Those three rules would, among other things:
- Amend Regulation S-P to require asset managers, broker-dealers, mutual funds, and transfer agents to notify affected individuals whose "sensitive customer information" was or was reasonably likely to have been "accessed or used without authorization."
- Amend Regulation SCI to expand its scope by bringing registered security-based swap data repositories (SBSDRs), registered broker-dealers exceeding an asset or transaction activity threshold, and additional clearing agencies exempted from registration into the ambit of Reg SCI's jurisdiction. Entities subject to Reg SCI would be required to undertake risk assessments of their third-party providers, consider whether their operations may be overly dependent on a particular provider, and consider "exit strategies" if they choose to disengage a provider.
- Establish a new Cybersecurity Risk Management Rule (referred to as "Proposed Rule 10") for broker-dealers, clearing agencies and other SEC-regulated entities that would require these entities to maintain written policies and procedures reasonably designed to address their cybersecurity risks, assess annually the effectiveness of those policies and procedures and document that assessment, and notify the SEC of any "significant cybersecurity incident" within 48 hours after "having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring."
The SEC's Spring 2023 rulemaking agenda indicates that the SEC expects to finalize these three sets of requirements in April 2024.
The SEC's slate of proposed rules could significantly alter cybersecurity regulation in the United States. DWT's Privacy and Security team will continue to monitor the development of these proposals, including whether the SEC decides to alter any of the rules based on strong industry feedback.
 The proposed amendments to Reg S-P define "sensitive customer information" as "any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information."