On July 26, 2023, the Securities and Exchange Commission adopted new rules and amendments that enhance and standardize cybersecurity disclosure requirements for registrants and foreign private issuers. As previously illustrated in our June 2022 and March 2022 blog posts, the new rules require companies to disclose and describe material cybersecurity incidents and their impacts, in additional to annual disclosure of information about their cybersecurity governance, strategy, and risk management processes.
Incident Reporting. The Commission’s new rules require all U.S. domestic reporting companies to disclose material cybersecurity incidents on the new item 1.05 of Form 8-K, generally within four business days of the company’s determination that they experienced such an incident. Consistent with the standing definition of materiality within the securities regime, the rules explain that a “material” incident is one in which “there is a substantial likelihood that a reasonable shareholder would consider it important.”
Amending its March 2022 Proposal, the Commission will require registrants to disclose a narrower set of details on cybersecurity incidents, including:
- Material aspects of the nature, scope, and timing of the incident; and
- Material impact (or reasonably likely material impact) of the incident on the registrant, including its financial condition and results of operations.
However, per the final rule, disclosures regarding an incident’s remediation status will not be required. Moreover, contrary to the proposed rule, companies will not be required to assess or report events that are material in the aggregate, which was a particularly challenging concept to interpret in the proposed rule.
Importantly, the rules require that materiality decisions be made “without unreasonable delay,” a change from the initial proposal’s requirement that a determination be made “as soon as reasonably practicable after discovery of the incident.” The SEC intended this change to recognize that companies must have sufficient information on which to base the decision and acknowledged concerns that the prior formulation would result in hasty materiality assessments.
Unlike the proposed rule, the final rules provide for a delay for disclosures for up to thirty days if the “Attorney General determines that the incident disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.” While the Attorney General would likely delegate this authority, this is still a particularly burdensome requirement for the Department to act within such a time frame, and it remains to be seen what the practical effect of this authorized delay will be.
Risk Management, Strategy, and Governance Disclosures. In addition to incident reporting requirements, through Item 106, the new rules add further disclosure requirements to Form 10-K for domestic registrants. Registrants must furnish information on their approach to risk management, strategy, and governance concerning material cybersecurity threats on an annual basis. Registrants will be required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats. Registrants must also disclose their board of directors’ oversight of and management’s role and expertise in assessing and managing risks from cybersecurity threats.
The final rules will also require disclosure of whether a registrant makes use of assessors, consultants, auditors, or other third parties in connection with their cybersecurity so that investors are aware of a registrant’s level of in-house versus outsourced cybersecurity capacity. However, registrants will not be required to name or describe the services provided by third parties, though registrants may choose to furnish this information.
Foreign Private Issuers. In place of the reporting requirements contained in the updates to Forms 8-K and 10-K for domestic companies, foreign private issuers are required to submit comparable disclosures on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. However, the final rule clarifies that incident disclosures on Form 6-K must be made by FPIs only when both (1) the standard requirements for 6-K reporting are met (namely where info must be made public under its corporate jurisdictional laws, that it must file with any stock exchange, or that it otherwise distributes to security holders) and (2) the incident is deemed material.
Compliance Timeline. The final rules will become effective 30 days after the SEC’s adopting release is published in the Federal Register, which will likely occur in September. In the meantime, public companies should consider their risk management practices, with a focus on certain priorities reflected in the new rules, including:
- Reviewing disclosure control policies and procedures for identifying and escalating incidents;
- Performing periodic reviews of the corporate cyber posture and resourcing;
- Strengthening governance and oversight of mission-critical cybersecurity risks;
- Auditing policy framework and implementation practices; and
- Seeking vulnerability assessment and penetration testing to enable necessary remedial efforts.
With special thanks to summer associate, Ian Allen.