TheCorporateCounsel.net

I don’t know about you, but the pace of SEC rulemaking these days has me worn out. Today, the SEC will consider final rules regarding cybersecurity disclosure, bringing to a conclusion a rulemaking that the SEC formally started with a proposal last year, but which actually started through Staff action over a dozen years ago. As the Commission is poised for action, I think it is a good time to look back on how we got here.

First, I will posit that cybersecurity is one of the principal risks that companies and individuals face today. If you speak with any of your cybersecurity colleagues on a regular basis, you are no doubt concerned about the security of your information every time you turn on your computer, or when you conduct an online transaction, or when you sleep at night for that matter. Information systems are under constant attack, and the threat actors are always devising new ways to take advantage of the weakest points of our systems, which often involves us very fallible humans. In fact, it is miracle that you are able to read this blog this morning. This threat environment has been ever present for many years, and it only seems to get worse. Against this backdrop, the only logical question is: why has it taken so long for the SEC to consider new cybersecurity disclosure rules?

The answer to that question is, of course, politics. Our representatives in Congress have tried to tackle the cyber threat over the decades, but as is often the case, they encountered the issue that the federal government does not directly regulate the conduct of most large companies, making it hard to tell them what to do. So, in their infinite wisdom, they of course turn to the tried-and-true strategy of trying to compel conduct by shaming companies through disclosure, and various proposed cybersecurity measures that have been advanced by members of Congress over the years have had some disclosure component. The SEC Staff, to its credit, tried to be proactive by advancing its own framework for disclosure of cybersecurity in the form of CF Disclosure Guidance Topic No. 2 – Cybersecurity (October 13, 2011), which generally reviewed the applicability of existing SEC disclosure requirements to cybersecurity concerns. Not surprisingly, the CF Disclosure Guidance looked very similar to the guidance provided regarding climate change risks, also against a backdrop of various legislative efforts to compel disclosure.

In the ensuing years, as one high profile cybersecurity incident after another hit the headlines, the SEC Staff (particularly the Division of Enforcement) seemed uncomfortable with the notion that we live in a world where U.S. public companies are subject to a periodic and current reporting system, a basic tenet of which is that unless a company has an affirmative disclosure obligation, it is not required to disclose material nonpublic information. While lacking any specific Form 8-K item that mandated current disclosure, the Staff (and the Commission through enforcement action) began to express concern with the delays that occurred between the discovery of a material cybersecurity breach and when investors ultimately learned about it.

One would have thought that this concern should have been addressed through rulemaking rather than through a “regulation through enforcement” approach, but surprisingly the Commission took a different turn in 2018 – by issuing an interpretive release. The interpretive release elevated the guidance from the CF Disclosure Guidance to Commission guidance, and strongly encouraged the filing of a Form 8-K when a cybersecurity event is material. The Commission noted in its guidance the importance of disclosure controls and procedures “that provide an appropriate method of discerning the impact that such matters may have on the issuer and its business, financial condition and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”

And so we have lived in this regulatory grey area for the past five years, where a casual reader of Form 8-K would find no disclosure items that address cybersecurity, but yet the Commission brings action against companies that fail to timely disclose cybersecurity incidents. In some ways, having actual rules to work with rather than broad Commission interpretive musings may make things better for companies and practitioners, because at least the “rules of the road” are articulated and known.

One thing is for certain – the new disclosure regime that the Commission will consider today is not going to do anything to diffuse the threat environment that we operate in, so please don’t open those phishing email!

– Dave Lynn