SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements
It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.
Under the 2018 guidance, discussed in past blog posts here, the SEC indicated that companies must disclose cybersecurity risks and incidents that are material to investors. According to that guidance, whether cybersecurity risks are material “depends on their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” Companies, therefore, must make delicate decisions about whether an event rises to the level of materiality warranting a disclosure. Such decisions require public companies to carefully calibrate their legal disclosure requirements with the risks of revealing sensitive information related to existing cybersecurity efforts.
Proposed revisions to Regulation S-K would impact three disclosure requirements that we covered in detail in our recent publication, Cybersecurity Governance: A Guide for Corporate Officers, Directors and General Counsel:
- Risk Factors. Item 503(c) of Regulation S-K required companies to disclose “the most significant factors that make investments in the company’s securities speculative or risky.” In evaluating whether cybersecurity risks require disclosure under this item, the 2018 guidance counseled companies to consider multiple factors, including the occurrence of prior cybersecurity incidents and the probability and magnitude of future incidents, based on a company’s specific circumstances.” The 2018 guidance further noted that evaluating the risk of future incidents may require disclosing prior cybersecurity events, in order to contextualize the risk discussion.
As the proposed guidance notes, the requirements of Item 503(c) are now consolidated under a new Item 105. Item 105 dispenses with the list of sample risk factors that are not applicable to all companies. Under the proposed guidance, the SEC has instead indicated its preference for a “principles-based” approach that encourages companies to focus on their own “particular facts and circumstances” in disclosing risk. Among other things, the disclosure standard under the new Item 105 would be changed from the “most significant” factors to the “material” factors, thereby “reduc[ing] the amount of risk factor disclosure that is not material and potentially shorten[ing] the length of the risk factor discussion.” This shift in approach would align Regulation S-K with the materiality threshold identified in the 2018 cybersecurity guidance.
- Description of Business. Item 101 of Regulation S-K requires companies to “discuss their products, services, relationships with customers and suppliers, and competitive conditions.” If cybersecurity threats or incidents materially affect one of these categories, the company must provide appropriate disclosures. The current Item 101(c) specifies twelve items that must be disclosed with respect to a company’s business in general.
Under the revised guidance, Item 101 would, like Item 105, shift to a “principles-based” approach, under which companies would need to provide disclosure on a more limited list of non-exhaustive topics. Additionally, companies would now be expected to provide disclosure on compliance with “material government regulations”—not just environmental regulations. For example, as the guidance notes, healthcare and insurance providers routinely disclose their compliance with government regulations that protect personally identifiable information (“PII”), such as the Health Insurance Portability and Accountability Act (“HIPAA”). The new guidance would make such routine disclosure a requirement. This requirement could have significant reverberations for companies that regularly transact in PII and other sensitive data.
- Legal Proceedings. Item 103 of Regulation S-K requires companies to disclose information related to material pending legal proceedings, including proceedings related to cybersecurity issues. If such materials proceedings exist, the company should describe the litigation in its disclosures.
Unlike its “principles-based” approach to Items 101 and 105, the SEC is proposing to retain the “prescriptive” approach currently used in Item 103. As relevant, however, the new guidance would expressly allow Companies to use hyperlinks or cross-references to legal proceedings disclosure located elsewhere in the document to avoid repetitive disclosure.
Although the proposed SEC guidance would not substantially alter the substantive disclosure obligations associated with cybersecurity events, the new rules would streamline public companies’ reporting obligations—potentially even simplifying such obligations. Determining a company’s disclosure response, however, must still take into account several fact-specific variables, including the remoteness of the risk and the materiality of the breach. Even under the revised guidance, companies would be well-served to conduct a careful, case-by-case analysis to determine the extent and timing of a required disclosure.
The public comment period on the above guidance remains open until October 22, 2019, and the final regulations may vary once the comment period concludes. We will continue to monitor these issues.