Skip to main content
Jul 27, 2023

SEC adopts cyber-security rules without director expertise element

Companies will have to report on major attacks and cyber-security governance

The SEC on Wednesday voted three-to-two to approve rules requiring companies to disclose material cyber-security incidents that affect them. They will also have to report each year material information about their cyber-security risk management, strategy and governance – although the commission has dropped a controversial proposal that companies report on board-level cyber-security expertise.

Under the new rules, firms will have to report on a new Item 1.05 of Form 8K any cyber-security incident they believe to be material and to describe the material aspects of its nature, scope and timing, in addition to its material impact – or reasonably likely material impact – on the company.

In most cases such reports will be due four business days after the company decides that an incident is material. The company will be able to delay making the disclosure if the US Attorney General determines that revealing the incident would pose a substantial risk to national security or public safety.

The new rules also add Item 106 to Regulation SK. This will require companies to describe in their Form 10K the board’s oversight of cyber-security risks and management’s role and expertise in assessing and managing material cyber-security risks. They will also have to describe their processes for assessing, identifying and managing material risks from cyber-security threats and the material impact of cyber-security risks.

The Form 8K disclosures will be due beginning the later of 90 days after the rule is published in the Federal Register or December 18, 2023. The Form 10K disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.

The SEC initially proposed adding Item 407(j) to require disclosures about the cyber-security expertise, if any, of a company’s board members. The measure attracted a lot of feedback and was ultimately dropped.

The agency writes in the final rule: ‘After considering the comments, we are not adopting proposed Item 407(j). We are persuaded that effective cyber-security processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.’

There are different schools of thought about the need for specific board expertise to address topics such as cyber-security, artificial intelligence, climate change and human capital management. Many governance professionals favor directors having more general expertise and focusing on their role of risk oversight.

The National Association of Corporate Directors (NACD) welcomed the rule changes overall, saying in a statement that a more formalized disclosure on cyber-security risk management, strategy, governance and incident disclosure will ‘create efficiencies and clarity around cyber-risk oversight expectations.’

NACD also welcomed the SEC’s decision to drop the board expertise requirement. The group had written in its comment letter to the agency: ‘The presence of a cyber-security expert on a board cannot make up for poor oversight processes and does not excuse the full board from its oversight duties in this matter.’ It expressed approval that the final rule ‘focuses disclosure of expertise at the correct tier of responsibility for mitigating this risk: management.’

Caroline Crenshaw, SEC

The changes have – as in many cases in recent years – divided opinion among the commissioners. SEC chair Gary Gensler said in a statement: ‘Whether a company loses a factory in a fire — or millions of files in a cyber-security incident — it may be material to investors. Currently, many public companies provide cyber-security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.

‘Through helping to ensure that companies disclose material cyber-security information, today’s rules will benefit investors, companies and the markets connecting them.’

Commissioner Caroline Crenshaw, who voted in favor of the reforms, said: ‘[A]s the comment file substantiated, knowledge of cyber-security threats and breaches are essential to understanding a firm. Among other reasons, breaches can (and do) result in loss of revenue, customers and business opportunities. Those harms may be realized or they may be ongoing in the form of lost sensitive information, remediation costs and losses in shareholder value.

‘Despite the consensus on the harmful nature of cyber-incidences, commenters highlighted that existing disclosure practices vary in substance, organization and presentation, thus establishing a need for, and benefit of, comparable, reliable and decision-useful disclosures to investors.’

Hester Peirce, SEC

Hester Peirce, who voted against the changes, complained that they ignore the limits of the agency’s disclosure authority and investors’ best interests while not establishing why they are needed. ‘The release prescribes granular disclosures, which seem designed to better meet the needs of would-be hackers rather than investors’ need for financially material information,’ she said.

‘The new rule, for example, requires disclosure of detailed information about issuers’ cyber risk management processes and governance and relevant personnel… The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them.’

She also commented: ‘[T]he SEC’s potentially non-material risk management and governance disclosures veer into managing companies’ cyber-defenses; the new rule looks like a compliance checklist for handling cyber risk, a checklist the SEC is not qualified to write.’

Despite approving of the changes overall, NACD also said it remains concerned that the four-day reporting window ‘may not allow companies the time to put in place adequate patches and protections before being forced to make it known that they have been compromised digitally.’