TAKEAWAYS
- The SEC’s Final Rules require public companies to report a
material cybersecurity incident within four business days of
determining such incident to be material, subject only to
exceptions on national security and public safety grounds. - While the rules allow for delays in notification when there is
a national security issue, it is unclear whether companies will be
able to readily rely on that exception. - Public companies and foreign private issuers are also required
to make periodic disclosures about their cybersecurity risk
management, strategy and governance.
On July 26, the U.S. Securities and Exchange Commission (SEC)
adopted Final Rules that require public companies (registrants) and
foreign private issuers to disclose material cybersecurity
incidents promptly and to make periodic disclosures of their
cybersecurity risk management, strategy and governance in annual
reports. As we previously noted, the Final Rules add
powerful arrows in the quivers of SEC Chair Gary Gensler and the
SEC’s Enforcement Division to regulate cybersecurity as part of
its mission of maintainin orderly markets. With their adoption, the
Final Rules further bolster the SEC’s attempts to serve as the
“cyber cop” on the Wall
Street beat.
The Final Rules will take effect 30 days after the SEC’s
adopting release is published in the Federal Register. All
registrants must comply with the new requirement to provide annual
disclosures beginning with annual reports for the fiscal years
ending on or after December 15, 2023. Additionally, all registrants
(other than smaller reporting companies) will be required to
disclose material cybersecurity incidents in Form 8-K or in Form
6-K by December 18, 2023. Smaller reporting companies have until
June 15, 2024, to comply with this requirement.
The Final Rules in a Nutshell
The Final Rules (accessible here and summarized in the
SEC’s accompanying fact sheet) largely track the
proposed rules that the SEC had put forward in March 2022, but contain
important changes in response to comments that the SEC has
received. Many commentators will view these changes as surprising,
as market participants generally believed that Chair Gensler would
be reluctant to alter the SEC’s original substantive proposal.
In general terms, the Final Rules require registrants to:
- Disclose in Item 1.05 on Form 8-K “any cybersecurity
incident they determine to be material” and to “describe
the material aspects of the nature, scope, and timing of the
incident, as well as the material impact or reasonably likely
material impact of the incident on the registrant, including its
financial condition and results of operations.” - Determine the “materiality of an incident without
unreasonable delay following discovery and, if the incident is
determined [to be] material, file an Item 1.05 Form 8-K
generally within four business days of such
determination.” (Emphasis added.) - Describe, under Regulation S-K Item 106, the processes by which
registrants assess, identify and manage material risks from
cybersecurity threats, as well as “whether any risks from
cybersecurity threats, including as a result of any previous
cybersecurity incidents, have materially affected or are reasonably
likely to materially affect the registrant.” - Describe, under Regulation S-K Item 106, the “board of
directors’ oversight of risks from cybersecurity threats and
management’s role and expertise in assessing and managing
material risks from cybersecurity threats.”
If the U.S. Attorney General determines that “immediate
disclosure” of a cybersecurity incident would “pose a
substantial risk to national security or public safety,”
however, disclosure may be delayed. The Final Rules contemplate
successive delay periods lasting 30 or 60 days, depending on
whether circumstances pose a continued substantial risk to national
security or public safety. Additional delays beyond those periods
may be granted only by exemptive order of the SEC if, for example,
malicious actors would benefit by learning that their activities
had been discovered. It is unclear at this time, however, what
criteria the U.S. Attorney General will use when determining
whether a “substantial risk to national security or public
safety” exists, much less whether such risk is sufficient to
request any delay. Accordingly, it is premature to assume that the
national security/public safety exception will be readily
available.
The Final Rules also impact foreign private issuers, who will be
required to provide information on “material cybersecurity
incidents” that they “make or are required to make public
or otherwise disclose in a foreign jurisdiction to any stock
exchange or to security holders” in amended Form 6-K.
Furthermore, under amended Form 20-F, foreign private issuers will
be required to make “periodic disclosure comparable to that
required” in new Item 106.
Notably, the Final Rules do not include-as the SEC had
originally proposed-a requirement that registrants disclose
“the incident’s remediation status, whether it is ongoing,
and whether data were compromised.”
Preparing for Compliance with the Final Rules
In the coming weeks and months, companies must prepare for the
new disclosure requirements mandated by the Final Rules.
Preparations should include assessing the adequacy of existing
security protocols as well as disclosure controls and procedures
designed to ensure that material cyber matters are elevated within
the company. Companies must be prepared to make prompt disclosures
to investors if they experience a material cybersecurity
incident.
Management should, for example, bring its understanding of cyber
risks up to date, so that determinations about the materiality of a
cybersecurity incident can be made in a timely manner.
Management’s familiarity with cyber risks will not only aid in
the determination of whether a specific incident has a material
impact, but also help to ensure that proper disclosure is made
within the required timeframe of four business days after the
materiality determination. The SEC considers the four-day
disclosure timing to be “workable” because it expects
companies to “have the information required to be
disclosed” under the Final Rules “as part of conducting
[their] materiality determination[s].” Companies should,
therefore, include consideration of the financial impact of a
cybersecurity incident as part of their materiality analyses, so
that information about an incident’s impact on financial
conditions and results of operations is ready when the disclosure
requirement is triggered.
Further practical steps to prepare for compliance with the Final
Rules will be prudent, as we discussed here. Among other things,
companies should streamline their internal reporting processes when
a cybersecurity incident is identified, so that information
gathered about an incident-especially as it is being
investigated-is channeled accurately and efficiently to management.
Although the Final Rules do not separately create or otherwise
affect a registrant’s duty to update its prior disclosures of a
cybersecurity incident, the SEC expects registrants to satisfy
their duties to correct prior disclosure that the registrant
determines was untrue or omitted a material fact necessary to make
the disclosure not misleading at the time it was made, and to
update disclosures that become materially inaccurate after they are
made. Companies should, therefore, revisit their cybersecurity
incident reporting policies to strengthen their ability to refresh
previous disclosure in the light of new information that is
collected during an ongoing investigation.
It is also vital that a company’s board, and any board
committee responsible for cybersecurity and SEC reporting
oversight, is involved in the process to prepare for compliance
with the new rules. The Final Rules require periodic disclosure of
“board of directors’ oversight of risks from cybersecurity
threats,” so it is critical that directors have, as we have
previously noted, an appropriate
understanding of cyber risks. Additionally, designating a chief
information security officer within the governance structure of the
board will further benefit the board’s ability to take
appropriate action in the light of the Final Rules’ disclosure
requirements. For these reasons, we recommend that directors be
alerted to the SEC’s new disclosure requirements, so that
timely disclosure of material incidents can be made on Form 8-K,
and cybersecurity governance and oversight disclosures can be made
in the company’s periodic SEC reporting.
Moreover, as discussed above, companies should not count on
their ability to obtain government permission to delay disclosure
of a cybersecurity incident on national security or public safety
grounds. The SEC’s explanation of its Final Rules emphasizes
that an appropriate balance must be struck between security
concerns and investors’ needs for prompt disclosure. If
disclosure causes significant risks of harm, delay is likely
warranted. Conversely, absent substantial risk to national security
or public safety, companies will be required to make prompt
disclosures.
The SEC’s long-awaited cyber-regulatory overhaul is here.
Now, more than ever, public companies should bring their
cybersecurity policies, procedures and controls into line with the
SEC’s expectations so that registrants satisfy their disclosure
obligations (among other obligations) under the Final Rules.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Click Here For The Original Source.
