SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
In Short
The Situation: On July 26, 2023, the U.S. Securities and Exchange Commission ("SEC") adopted final rules that significantly alter cybersecurity disclosure obligations for companies. The SEC's final rules adopt elements of the previously proposed amendments, which were discussed in our March 2022 Alert, but include several significant modifications.
The Result: The final rules require domestic companies to disclose on Form 8-K material aspects of the nature, scope, and timing of material cybersecurity incidents within four business days of determining that a cybersecurity incident is material, with similar requirements for foreign private issuers. The final rules also require companies to disclose, on an annual basis on Form 10-K or Form 20-F, material information regarding cybersecurity risk management, strategy, and governance.
Looking Ahead: The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 8-K or Form 6-K disclosure obligations will commence on the later of 90 days after the date of publication in the Federal Register and December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. The Form 10-K disclosures will be required beginning with annual reports for fiscal years ending on or after December 15, 2023.
On July 26, 2023, the SEC adopted rules that significantly alter a company's cybersecurity disclosure obligations. The final rules are intended to compel cybersecurity disclosures that are presented in a more consistent, comparable, and decision-useful way and that would allow investors to evaluate a company's exposure to material cybersecurity risks and incidents as well as its ability to manage and mitigate those risks. The rules also require foreign private issuers to make comparable disclosures, depending on home country requirements.
Existing Regulatory Framework Regarding Cybersecurity Disclosure
As discussed in our March 2022 Alert, there are currently no disclosure requirements in Regulation S-K or Regulation S-X that explicitly refer to cybersecurity risks or incidents. Over the past decade, the SEC and its staff have issued interpretive guidance concerning the application of existing disclosure and other requirements under the federal securities laws relating to cybersecurity risks and incidents.
Disclosure of Material Cybersecurity Incidents
The final rules amend Form 8-K to add Item 1.05, which will require public companies to disclose any cybersecurity incident that they determine to be material within four business days of making that determination, even if the incident is ongoing. Companies are required to determine the materiality of a cybersecurity incident without unreasonable delay following discovery of the incident. Companies should consider both the qualitative and quantitative factors in assessing the material impact of an incident. To the extent cybersecurity incidents occurring on a third party's systems are material to the company, disclosure of such incident is required under Item 1.05, but the company is only required to disclose based on the information available to it through its regular channels of communication with the third party.
As part of the Item 1.05 disclosure, a company is required to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact, or reasonably likely material impact, on the company, including the company's financial condition and results of operations. Examples of potential material impacts include harm to a company's reputation, customer or vendor relationships, or competitiveness, and the risks of future litigation or government investigations or regulatory action. The SEC also expects the disclosure to explain what led management to conclude the incident is material. To the extent that information required under Item 1.05 is undetermined or unavailable when the initial Form 8-K is filed, an amendment to the Form 8-K is required to be filed within four business days of such information becoming available.
Companies required to furnish reports on Form 8-K may delay disclosure only if: (i) the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing; or (ii) the company is subject to 47 CFR 64.2011 (the U.S. Federal Communications Commission's notification rule for breaches of customer proprietary network information) and is required to delay disclosing a data breach pursuant to such rule.
Item 1.05 will be added to the list of Form 8-K items in General Instruction I.A.3.(b) on Form S-3, so the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.
Annual Cybersecurity Risk Management Strategy and Governance Reporting
The final rules add a new Item 106 to Regulation S-K and amend Form 10-K to require disclosure of the following information related to a public company's cybersecurity risk management strategy and governance on an annual basis:
- The company's processes for assessing, identifying, and managing material risks from cybersecurity threats, in sufficient detail to permit a reasonable investor to understand those processes, including: (i) whether and how such processes have been integrated in the overall risk management system or process; (ii) whether the company has engaged third-party providers in connection with such processes; and (iii) whether there are processes to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers (i.e., third-party cybersecurity risk management processes);
- Whether any risks from past or ongoing cybersecurity threats have materially affected or are reasonably likely to materially affect the company, and if so, how;
- The board of directors' oversight of risks from cybersecurity threats, and, if applicable, the committee or subcommittee responsible for such oversight and the process by which the board of directors, committee or subcommittee is informed about such risks; and
- Management's role in assessing and managing material risks from cybersecurity threats, including: (i) whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons; (ii) the process by which such persons or committees are informed about and monitor cybersecurity incidents; and (iii) whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee thereof.
The final rules do not require separate disclosure of board-level cybersecurity expertise, which was included in the March 2022 proposed rules, but a company still may do so if board-level cyber expertise is a necessary component of the company's cyber risk management.
Foreign Private Issuers
The final rules include amendments to Forms 20-F that require foreign private issuers to provide cybersecurity disclosure consistent with that required of domestic issuers. The final rules also amend Form 6-K to require foreign private issuers to promptly furnish information regarding material cybersecurity incidents consistent with the disclosure required for domestic issuers, but only to the extent the foreign private issuer discloses or otherwise publicizes such information in a foreign jurisdiction, to any stock exchange or to security holders.
The full release detailing the new rules can be found on the SEC's website.
Four Key Takeaways
- Item 1.05 to Form 8-K requires disclosure of cybersecurity incidents within four days of determining they are material with limited exceptions to delay such disclosure.
- The addition of Item 106 of Regulation S-K significantly increases the breadth of the required periodic disclosure of cybersecurity risk management strategy and governance, commencing with annual reports for fiscal years ending on or after December 15, 2023.
- Companies should review and update their internal cybersecurity governance and risk management approach, including policies and procedures, IT strategies and risk tolerance, and risk management practices, taking into account increased public disclosure and scrutiny.
- Companies should review their disclosure controls and procedures to ensure that they timely capture complete and accurate information about cybersecurity incidents and convey that information to those responsible for public reporting. This includes breaking down information silos that prevent information from timely reaching those responsible for public reporting, which has been an issue in recent SEC enforcement cases.