Comments to SEC’s Proposed Rules on Cybersecurity Raise Concerns About Potentially Serious Consequences

On March 9, 2022, the Securities and Exchange Commission (“SEC”) issued its Proposed Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure. As per the SEC press release from March 9th, “[t]he proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” One of the proposed rules concerns a 4-day cybersecurity reporting requirement, and reads as follows:

                 Specifically, we are proposing to:  

                 •    Amend Form 8-K to add Item 1.05 to require registrants to disclose information about a cybersecurity incident within four business days after the                                     registrant determines that it has experienced a material cybersecurity incident.

Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure at 18.

The current Form 8-K does not contain any specific language about cybersecurity incidents.

A comment period followed this rule proposal. During this time, concerns were raised about the stringency of the proposed rules, including with respect to the 4-day requirement. For example, the Internet Security Alliance pointed out in a letter dated May 9, 2022, that the SEC’s argument that the 4-day requirement will mitigate the risk of stock manipulation “fails to appreciate the degree of control the attackers can have not only on when the attack occurs, but when it will be discovered and likely deemed material.”). The U.S. Chamber of Commerce, meanwhile, expressed its opinion in a letter dated June 22, 2022, that “the proposed rules go too far and would place companies at heightened risk by compelling them to prematurely disclose increased amounts of cybersecurity incident information”, noting further that “hasty reporting may not necessarily be accurate, given the little time afforded to companies to report material cybersecurity incidents. It is possible that the severity of incidents could be overstated, thus having a potentially negative effect on a company’s earnings.” U.S. Chamber of Commerce Letter at 1-2. U.S. Representative James Edward Banks (Indiana, 3rd District) wrote in a letter dated July 1, 2022, that the SEC “should provide an explicit reporting exemption for classified information and should allow companies to delay or forgo incident reports if necessary to protect the national security of the United States”, noting that, for those companies working with the federal government, “reporting information about a cybersecurity incident could implicate classified information or endanger the United States’ national security.”

The 4-day reporting rule has generated considerable criticism. It remains to be seen whether the SEC heeds the warnings of the commenters and amends this proposed rule. If this rule, as written, is added to the Form 8-K, it is this author’s opinion that the word “material” will be the subject of future litigation. For example, if a company suffers a cyber attack on one person’s account and decides to resolve the issue internally, which it does successfully within 5 business days, and does not reveal the cyberattack in a Form 8-K for fear of scaring investors, will the company still be held liable under this new rule because this constituted a material cybersecurity incident?

The SEC’s Proposed Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure can be found here.

The complete list of comments on the SEC’s Proposed Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure can be found here.