Our Securities, Securities Litigation, and Privacy, Cyber & Data Strategy teams highlight the key aspects of the Securities and Exchange Commission’s final changes to its cybersecurity reporting rules for public companies subject to the Securities Exchange Act.
- Public companies will generally have just four business days to disclose a material cybersecurity event under the SEC’s final rules
- Public companies will also have to increase their disclosure regarding board oversight and management involvement in cybersecurity
- Companies should update their cybersecurity policies now, including how to determine the materiality of an incident
On July 26, 2023, the Securities and Exchange Commission (SEC) approved the new cybersecurity disclosure rules for public companies with significant modifications from the draft rules proposed in March 2022. For a more extensive discussion of the proposed cybersecurity disclosure rules, see our previous advisory, “SEC Proposes Sweeping New Cybersecurity Disclosure Rules for Public Companies.”
Among the more controversial measures adopted with some revisions from the proposed rule is that the SEC will require disclosure of a material cybersecurity event on Form 8-K within four days of such materiality determination, which must be made “without unreasonable delay,” although it provides a limited exception for delay if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
New Disclosure Requirements Highlights
The table below summarizes the new disclosure requirements.
The untimely filing of an Item 1.05 of Form 8-K will not result in loss of Form S-3 eligibility.
Amendments to the Original Form 8-K
The new rules require an amendment to the original Form 8-K to disclose required information not available at the time of filing the original Form 8-K. This amendment should be filed within four business days of the company discovering the information or the information becoming available, without delay.
Additionally, issuers should file an amendment to the Form 8-K to correct previously disclosed information that is later determined to be incorrect or misleading.
The amendment requirement essentially transforms the Form 8-K to the cybersecurity incident disclosure form – but companies will still need to give repetitive disclosure for loss contingencies in footnotes to the financial statements.
The Limited Attorney General Exception
Companies can delay the filing of the Form 8-K for up to 30 days, with the potential of a 60-day extension, if the U.S. Attorney General determines that a disclosure within the four-business-day timeline would pose a “substantial risk” to public safety or national security. Companies would have to request this extension from the U.S. Attorney General.
What Was Not Adopted
Notably, and in a departure from the proposed rule, companies are not required to disclose the material cybersecurity incident’s remediation status or technical information about its response to the material cybersecurity incident in the Form 8-K filing. The final rule does not include a requirement for Regulation S-K to specifically disclose the cybersecurity expertise of each board member in its annual reports and generally requires less granular or specific disclosure of a company’s cyber-risk management program than was initially proposed. See the table below for a more granular comparison of the proposed and final rules.
Overlapping Governmental Disclosure Requirements
Although the SEC acknowledged the extensive comments generated by the proposed rules and that public companies already may be subject to many other, potentially overlapping or competing cybersecurity reporting requirements, it dismissed these concerns as secondary to the primacy of investor disclosure needs, specifically distinguishing the purpose of SEC public company disclosures from other federal agency rules, including forthcoming Cybersecurity and Infrastructure Security Agency rulemaking pursuant to the federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The final rule release acknowledges the potential for future modifications to SEC rules to harmonize them in accordance with CIRCIA and presumably the National Cybersecurity Strategy.
When the New Rules Will Be Effective
The final rules are effective 30 days after the publication of the rule in the Federal Register (which can be anywhere between three business days to a week or longer).
The new incident reporting via Form 8-K or 6-K is scheduled to take effect the later of 90 days from publication in the Federal Register or December 18, 2023. The updated disclosure requirements will apply to annual reports on Forms 10-K and 20-F for fiscal years ending on or after December 15, 2023.
Smaller reporting companies have 270 days after the publication of the final rule in the Federal Register or until June 15, 2024, whichever is later, to comply.
What to Do Now
To prepare for these fourth quarter 2023 compliance dates, companies should review and update their cybersecurity policies and procedures and incident management protocols. Issuers should also consider enhanced incident response training to raise awareness of the disclosure timelines. Additionally, companies should discuss how they plan to determine the materiality of a cybersecurity incident.
Assessing Materiality Following a Cybersecurity Incident
The final rule only requires disclosure of cybersecurity incidents that are “material” under the federal securities laws, i.e., where there exists a “‘substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’” This materiality standard remains unchanged. However, the final rule now requires that the determination must occur without “unreasonable delay” (which is a slight softening from the proposed rule’s “as soon as reasonably practicable” timeframe).
The SEC has previously noted that materiality assessments should consider both qualitative and quantitative factors and that this assessment should be holistic and not mechanical. The SEC, however, has otherwise declined to provide further guidance on the threshold for “materiality” in the context of cybersecurity incidents, despite numerous comments requesting such direction.
The few public SEC investigations or enforcement actions related to cybersecurity disclosures to date, however, provide some direction and collectively show that the SEC may consider a variety of factors when assessing the materiality of a cybersecurity incident in hindsight, including the volume and sensitivity of the data impacted, how the threat actor entered the system, whether data was exfiltrated or just accessed, and how long the threat actor was in the system.1 If there are business or operational disruptions caused by a cybersecurity incident, the materiality analysis might include various additional factors, such as which systems were disrupted, and in particular, whether the company’s financial systems were impacted; the length of time that systems were interrupted; whether any backup systems exist or could be implemented; and potential loss of revenue or other financial impact caused by the disruption.
Additional public SEC enforcement actions involving cybersecurity disclosures will continue to provide further guidance on the factors that companies should consider as they assess the materiality of a cybersecurity incident.
Disclosure of a Company’s Cybersecurity Risk Management, Strategy, and Governance
Under the adopted rule amendments, companies must describe their “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes” in their Form 10-K / 20-F filings. Importantly, “cybersecurity threat” is defined as any potential unauthorized occurrence on or conducted through a company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a company’s information systems or any information residing in them. This may incentivize all companies providing information systems as a service to strengthen their know your customer policies.
Additionally, companies must discuss how their cybersecurity processes have been integrated into overall risk management processes, whether the company engages third parties in connection with its cybersecurity risk management processes, and if so, whether the company has a risk management process associated with its third-party service providers.
Companies will be required to disclose their processes for assessing, identifying, and managing material cybersecurity threats, and the material impacts of those threats in their Form 10-K.
Additionally, companies will be required to describe the board’s oversight of risks from cybersecurity threats, identify the board committees responsible for overseeing cybersecurity risks, and describe the processes by which the board is informed of cybersecurity risks.
The SEC clarified that this list of disclosures is not exhaustive, and companies should disclose the information necessary for a reasonable investor to understand their cybersecurity processes. In addition to the mandatory disclosures on cybersecurity risk management, the new rules also direct companies to consider disclosing additional information about management’s role in overseeing and managing cybersecurity risks, including which members of management and which committees are responsible for managing the company’s material cybersecurity risks and their relevant expertise, the process by which responsible people and committees are informed about cybersecurity incidents, and whether the responsible people and committees report cybersecurity risk information to the board.
Foreign Private Issuer Cybersecurity Requirements (Forms 6-K and 20-F)
Foreign private issuers (FPIs) are required to comply with the newly adopted cybersecurity disclosures as well. On Form 6-K, FPIs are required to promptly make the same disclosures required under Item 1.05 of Form 8-K, including the requirement to amend the form with updates as they are discovered or become available. Similarly, FPIs are required to make the same cybersecurity disclosures as other companies in their Form 20-F.
Structured Data Requirements
Companies are required to tag the disclosures in Inline XBRL with a staggered compliance date of one year. Smaller reporting companies have 270 days after the publication of the final rule in the Federal Register or until June 15, 2024, whichever is later, to comply.
Comparison Between the Final Rule and Proposed Rule
The table below compares the main provisions of the proposed rule to the final adopted rule.
1 See, e.g., “SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors“; “SEC Charges Pearson plc for Misleading Investors About Cyber Breach.”
Download PDF of Advisory