[co-author: Tanvi Chopra]
On July 26, 2023, the Securities Exchange Commission (SEC) adopted a final rule intended to augment and standardize disclosures regarding cybersecurity risk management, governance, and incident reporting. The new rule imposes additional disclosure requirements for U.S. reporting issuers and foreign private issuers, including all companies with stock traded on U.S. exchanges (public companies). This post focuses on three of the key actions public companies must take under the new rule:
- Incidents – Disclose material cybersecurity incidents on Form 8-K within four business days of determining the incident is material, and disclose any material updates on an ongoing basis.
- Risk management – Disclose the processes for assessing, identifying, and managing material risks from cybersecurity threats in an annual report on Form 10-K.
- Governance – Disclose the board of directors’ oversight and management’s role in assessing and managing material cybersecurity risk in an annual report on Form 10-K.
- The SEC adopted analogous disclosure requirements for foreign private issuers to be disclosed on Forms 6-K and 20-F.
The final rule is effective on September 5, 2023. However, the rule provides different compliance timelines for the requirements related to cyber incident disclosures and annual reports:
- All reporting issuers will be required to include the new disclosures in upcoming annual reports for the fiscal year ending on or after December 15, 2023.
- Compliance with cyber incident reporting rules is required commencing on December 18, 2023.
- Smaller reporting companies are given an additional 180 days, until June 15, 2024, to comply with the incident reporting requirements.
1. Disclosure of Material Cybersecurity Incidents
The SEC’s rule establishes a new Item 1.05 to Form 8-K (or 6-K for foreign private issuers) that would require a public company to disclose material cyber incidents that occur on companies’ IT systems. While public companies were required to disclose material cybersecurity incidents under previous rules, the new rule imposes specific timing and format details for disclosure.
Takeaway on cyber incident disclosure: Public companies should ensure internal processes are in place to determine whether cybersecurity incidents are material and to report required details about the incident. This includes the initial incident disclosure, as well as any material updates. Because of the required timeline for disclosure, companies should be prepared to perform these assessments and disclosures even if the cybersecurity incident is ongoing. Public companies’ security, legal, and corporate communication teams should collaborate to adjust cyber incident response plans and financial reporting processes to accommodate these obligations.
a) Timing of cyber incident disclosures
The final rule requires public companies to disclose material cybersecurity incidents on new Item 1.05 of Form 8-K within four business days of determining that the incident is material or will result in material changes for investors. If a public company discloses a cyber incident, the final rule also requires that companies provide updates to that disclosure in an amended Form 8-K without unreasonable delay, or within four business days after the information becomes available. An untimely filing of an Item 1.05 disclosure will not result in a loss of Form S-3 eligibility.
Under the rule, companies must determine whether a cybersecurity incident is material without unreasonable delay. Information is material if “there is a substantial likelihood that a reasonable person would consider it important” in making an investment decision. The SEC states that companies should consider both quantitative and qualitative factors such as financial costs, loss of intellectual property, “harm to a company’s reputation, customer or vendor relationships, or competitiveness, [and] the possibility of litigation or regulatory investigations or actions.”
In contrast to other cyber incident reporting regulations, nearly all of which keep incident reports confidential, Form 8-K filings become publicly available through the SEC’s EDGAR system. This may put companies in the position of publicly disclosing significant cyber incidents before the incident has been contained or mitigated, which may complicate companies’ recovery efforts and coordination with other federal agencies.
Additionally, the SEC rule enables companies to delay disclosure for up to 30 days if the U.S. Attorney General notifies the SEC that disclosure of the incident would pose a substantial risk to national security or public safety. In “extraordinary circumstances,” disclosure may be delayed for up to 60 days. However, these exceptions are likely to be exercised only in rare cases.
b) Format of cyber incident disclosures
The precise content of the disclosures may vary from one incident to another. SEC’s rule requires disclosures of cybersecurity incidents to focus on the material impact of the incident, rather than details of the incident itself. Specifically, Item 1.05 of Form 8-K will require public companies to disclose “the material aspects of the nature, scope, and timing of the incident, as well as the material impact or likely material impact of the incident on the registrant, including its financial condition and results on operations.”
The SEC’s rule also clarifies that companies are not required to disclose technical information in such detail that it interferes with the companies’ incident response processes. This includes specific information about the response plan, defensive measures, related systems, or potential vulnerabilities. However, as with other disclosures, cybersecurity disclosures are subject to Exchange Act Section 18 liability for material misstatements or omissions.
After the initial disclosure, if additional information surfaces that should have been disclosed in the initial disclosure, public companies must file an amended Form 8-K. Companies do not need to provide an update for all information; only information that would have been required in the initial disclosure under Item 1.05(a) must be provided.
2. Cybersecurity Risk Management and Strategy Disclosures
The final rule adds Item 106(b) to Regulation S-K, requiring disclosure of public companies’ cybersecurity risk management processes in annual reports. This includes describing processes by “assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” The rule provides the following non-exhaustive list of potential disclosure items:
- Whether and how the described processes have been integrated into the company’s overall risk management system;
- The extent to which the company engages consultants, auditors, or other third-party service providers in connection with cybersecurity risk management processes;
- Whether the company has processes to oversee material cybersecurity risks associated with its use of third-party service providers;
- Any risks from cybersecurity threats or previous incidents that have materially affected the company, or are reasonably likely to materially affect the company, including through business strategy, operations, or financial condition; and
- Any other material information.
The SEC’s rule also provides guidance on the types of risks public companies may consider in this context. This includes the risk of disruption to business operations, theft of intellectual property, harm to employees or customers, reputational risk, litigation and legal risks, among other risks.
Takeaway on cyber risk management disclosures: Many companies have an internal cybersecurity risk management program, including risk assessment processes. Legal, security, and corporate communications teams should consider collaborating on a template description of these programs for annual investor disclosures. Companies will want to consider how to ensure the disclosures are accurate and compliant while using language that is appropriate for current and potential investors. The description should be revisited and updated as material changes occur to the organizational risk management system or the cyber threat landscape.
3. Cybersecurity Governance Disclosures
The final rule also added two provisions under Item 106(c) of Regulation S-K, requiring public companies to disclose information related to cybersecurity governance annual reports. This includes separate descriptions of the roles of the board and management in overseeing cybersecurity risk.
Under the rule, public companies’ annual reports must describe the board’s oversight of risks from cybersecurity threats. The report must also identify the board committee (if any) that is responsible for overseeing cybersecurity risks and describe how the board or committee is informed about the risks.
In addition, the final rule requires public companies’ annual reports to describe management’s role in assessing and managing material cybersecurity risks, as well as the relevant expertise of management. The rule notes that companies should consider disclosing the following non-exhaustive list:
- Whether and which management positions or committees assess and manage material cybersecurity risks, and a full description of the nature of their relevant expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, and mitigation of cybersecurity incidents; and
- Whether such persons or committees report information about material cybersecurity risks to the board of directors.
Takeaway on cyber risk management disclosures: Public companies should consider reviewing their cybersecurity staffing structure to ensure senior management and the board are apprised of cybersecurity incidents and risk management efforts. Companies should examine how cybersecurity risk management is allocated at the board level and ensure board committees have sufficient authority regarding these responsibilities. A company might consider the creation of a subcommittee dedicated to cybersecurity, particularly if the company’s audit committee needs additional resources to effectively oversee these issues. Finally, companies should consider developing normative descriptions of these governance processes for annual reporting and prepare to update the descriptions as needed.
Act Quickly to Adapt to the SEC Cybersecurity Rules
While the key disclosure requirements do not take effect until late 2023, public companies should prepare now for the transparency required by the rule. Overall, the final rules should prompt public companies to review their investments in cyber risk management, governance, and oversight. Effective cybersecurity risk management depends on employees from different departments collaborating across the business. Companies should ensure that security, legal, and communications teams are a part of the process early on to collaborate on the most effective process for meeting the SEC’s required disclosures.
We recommend that public companies promptly review and, if necessary, amend their disclosure procedures on cybersecurity to ensure reports are made in a timely manner to the correct personnel. This may include reviewing incident response plans to ensure team members are looped in at the appropriate stage to properly analyze incidents for materiality. Because the Form 8-K incident disclosures required by the final rule become public information, incident response teams should be prepared for the possibility that disclosure of an unmitigated incident may inadvertently expose the company to additional intrusion attempts, and should ensure adequate defenses are in place to respond.
Companies may also want to consider developing a regulatory notification chart to keep track of the different incident reporting obligations. Many companies are subject to several cybersecurity incident regulations across the world with varying notification timelines, and developing a chart can help ensure that disclosures are appropriately made in a timely manner during the scramble of responding to a cyber incident.
These considerations are intended to highlight some key steps that companies can take now to prepare for the SEC’s final rules. They are not intended to be an exhaustive list, and each public company must assess the processes and procedures that may be necessary and appropriate within the context of its operations, business, and regulatory environment.
The authors would like to thank Kirill Nikonov, an Associate with the Capital Markets and Securities group in Venable’s New York office, for his assistance and review.