By Jessica Penovich, Senior Director
On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed its second cybersecurity rule this quarter to enhance industry disclosure of cyber incidents. The proposed rule would impact reporting requirements to the SEC for public companies and require the disclosure of material cybersecurity incidents and cyber risk governance to their shareholders. The rule proposal sites growing cybersecurity concerns amid the “digitalization” of public company operations including remote work, the use of digital payment systems, and reliance on third-party service providers. The rule further cites the material risks to public companies arising from the cost of cyber incidents, business interruption, ransom demands, remediation costs, and intellectual property theft, among other costs.
How the Rule May Affect Investment Advisors
While the SEC has recently proposed rules impacting advisors’ operations and disclosures related to cybersecurity, the new rule proposal poses some additional factors to consider as it relates to an advisor’s duty of care owed to its clients. Advisors must conduct a reasonable investigation due diligence into recommended investments including the contemplation of potential risks. The SEC has made it clear that it views cybersecurity to be material to a public company’s stability and a factor worthy of investor consideration.
Impact of the Proposed Rule
The proposed rule would amend Form 8-K, which is used to notify public company investors of a significant event (e.g., bankruptcy or the departure of a CEO) to enable them to make informed decisions. Information found on Form 8-K is generally considered to be material. Cybersecurity incidents will now be required to be reported on Form 8-K among those major events that shareholders should know about. Shareholders and investment advisors may find these events particularly relevant.
The rule would also add a new “Item 106” report to the Form 8-K Section 1 – Registrant’s Business and Operations of Regulation S-K (a regulation under the Securities Act that requires public companies to provide disclosures about their business, securities, and financial information among other requirements). Notably, the Item 106 report would fall under Regulation S-K’s discussion of business areas including a description of the business, legal proceedings, and other risk factors. Under the proposed rule, public companies would have to provide disclosure about previously unreported events that were once individually deemed immaterial but subsequently become material when viewed in the aggregate, and provide a description of its policies and procedures and consideration of cybersecurity risks as part of the company’s “business strategy, financial planning and capital allocation.” The SEC also would require disclosure about a public company’s board oversight of cybersecurity posture, including whether a member of the board possesses cybersecurity expertise.
SEC Chair Gary Gensler issued a statement concurrently with the proposed rule and said, “investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.” The proposed rule requires disclosure of material information, but as of yet, there is no bright-line test when determining materiality. Based on SEC guidance, the term “material” generally refers to any facts that would be important to an investor in light of the surrounding circumstances. The specific facts that would cause a reasonably prudent investor to change their mind about investing is hardly black and white. It is possible additional guidance about materiality will emerge from the SEC, and enforcement actions for failures to disclose material events will eventually follow, providing some objective criteria by which the industry can assess materiality. Companies that wish to avoid lessons through enforcement would be wise to err on the side of disclosure.
It is too early to determine the specific implications to investment advisors, but if the rule proposal proceeds, it would be prudent for advisors to consider the additional information about cybersecurity practices and incidents when making recommendations involving public companies to clients. Additional disclosures may be required of advisors, including updates to Item 8 of the Part 2A of the Form ADV, which currently requires advisors to describe their methods of analysis and provide an explanation of the material risks involved with the type of securities they recommend.
The SEC requested comment about whether certain public companies should be exempt from additional disclosure if those companies are already subject to Investment Adviser Act and Investment Company Act disclosure requirements, referring to its February 9, 2022 cybersecurity rule proposal (see footnote 1).
Regardless of whether investment advisors are ultimately exempt from this rule proposal, in light of the SEC’s focus on cybersecurity and their February 9, 2022 rule proposal, investment advisors should consider examining the cybersecurity policies and procedures for risks associated with the operations and business practices through an effective risk assessment that includes user security and access, information protection, threat and vulnerability management, and cybersecurity incident response and recovery.
The public comment period will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
 On February 9, 2022, the U.S. Securities and Exchange Commission requested comments to a cybersecurity risk management rule proposal that would amend the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”) in the areas of cyber risk governance and disclosure. (https://www.foreside.com/blog/sec-proposes-rules-to-enhance-cybersecurity-programst/)