On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted long-anticipated disclosure rules for public companies by a 3-2 party-line vote. The final rules apply both to U.S. domestic public companies, as well as any offshore company that qualifies as a “foreign private issuer” under SEC rules due to a strong nexus to the U.S. capital markets. The new rules are effective as soon as December 18, 2023, as detailed further below.
Like the proposed version of the rules, the final rules will require current reporting on Form 8-K (or Form 6-K for foreign private issuers) about the occurrence of material cybersecurity events, as well as an annual disclosure on Form 10-K (or Form 20-F for foreign private issuers) about corporate risk management, strategy and governance of cybersecurity. Unlike the proposed rules, the final rules do not contain a quarterly disclosure requirement under Form 10-Q (though periodic amendments of Form 8-K may be required), and the final rules contain no requirement to identify a board cybersecurity expert. The Form 8-K and Form 10-K reporting requirements were also modified from the proposed rules to take into account public comment on the proposal. The new rules explicitly except Canadian issuers who file Form 40-F and other SEC reports under the U.S.-Canada multijurisdictional disclosure system, and such Canadian issuers should continue to make cybersecurity disclosures consistent with Canadian requirements.
According to the SEC, the new rules are intended to help investors better understand public companies’ cybersecurity risk environment. The SEC has expressed a concern that under the current reporting regime, the cause, scope, impact and materiality of cyber incidents is subject to uneven disclosure practices across the public company ecosystem.
Form 8-K and Form 6-K Reporting
Under the final rules, new Item 1.05 of Form 8-K will require disclosure of material cybersecurity incidents within four business days of the company’s materiality determination. In response to commenters’ concerns about the scope and timing of disclosure, the final rules make some modifications to the proposed version of the rules. Under final Item 1.05, if a public company experiences a “cybersecurity incident” that the company determines to be material, it must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations. For these purposes, a “cybersecurity incident” is defined as under Item 106(a) of Regulation S-K, discussed further below. The untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility for issuers conducting short-form securities offerings.
New Item 1.05 includes several explanatory instructions. First, a company’s materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident, which is intended to provide a limited amount of leeway to companies to avoid premature disclosure. Second, to the extent that the information called for in Item 1.05(a) is not determined or is unavailable at the time of the required filing, the company must include a statement to this effect in the filing and then must file an amendment to its Form 8-K filing under Item 1.05 containing such information within four business days after the company, without unreasonable delay, determines such information or within four business days after such information becomes available. This new requirement is intended to take the place of the quarterly Form 10-Q reporting requirement featured in the proposed version of the rules, and may necessitate multiple amendments over time to the original Form 8-K filing. Further, a company need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede its response or remediation of the incident.
The SEC’s adopting release further explains that Item 1.05’s inclusion of “financial condition and results of operations” is not exclusive, and companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. As an example, according to the SEC, “harm to a company’s reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company.” Likewise, the “possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact.” The final rules include no exemption for providing disclosures regarding cybersecurity incidents on third-party systems, nor do the final rules include any safe harbor for information disclosed about third-party systems. Notably, the SEC did not adopt the proposed requirement for disclosure regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised.
In response to concerns from commenters, the final rules include a narrow law enforcement exemption. Specifically, disclosure on Form 8-K may be delayed for 30 days if the U.S. Attorney General provides written notification to the SEC that national security or public safety would be impaired substantially by immediate disclosure. The rules also lay out procedures by which the Attorney General may extend the delay for additional periods of time. Under questioning from SEC Commissioner Hester Peirce at the open meeting, the SEC staff revealed that the SEC and Department of Justice (“DOJ”) have developed an interagency communication process to facilitate this exemption, and DOJ will notify affected public companies directly if they are subject to the delay. The SEC’s adopting release also discusses this protocol. It remains to be seen how this exemption will work in practice, and whether affected companies will have sufficient time during the four-business day window to avail themselves of the delay. The final rules further provide a limited reporting delay for telecommunications carriers subject to the cybersecurity reporting requirements of 47 CFR 64.2011.
For foreign private issuers, Form 6-K is amended to add material “cybersecurity incident” to the list in General Instruction B of information required to be furnished on Form 6-K. In practice, this requirement will obligate foreign private issuers to report on material cybersecurity incidents they make or are required to disclose in a foreign jurisdiction to any stock exchange or to securityholders.
Form 10-K and Form 20-F Reporting
The final rules create a new Item 106 to Regulation S-K concerning cybersecurity risk management, strategy and governance. Each of the components in Item 106 must be disclosed annually in a domestic public company’s Form 10-K. The final rules also create an analogous annual reporting requirement for foreign private issuers filing Form 20-F. To avoid repetition, we summarize the Form 10-K requirements below, which apply mutatis mutandis to Form 20-F.
Defined Terms. Item 106(a) creates several new definitions, which for the most part are unchanged from the proposed versions:
“Cybersecurity incident” means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
“Cybersecurity threat” means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
“Information systems” means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
An element of the proposed rules that would have required companies to aggregate individually immaterial events for purposes of determining whether a cybersecurity incident has occurred has been eliminated in the final rules in favor of the final definition’s use of the term “series of unrelated unauthorized occurrences.” Still, the adopting release emphasizes that the term “cybersecurity incident” in the final rules is to be “construed broadly.”
Risk Management. Item 106(b) of Regulation S-K requires a public company to describe the processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
Item 106(b) also requires a public company to disclose whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to material affect the company including its business strategy, results of operations, or financial condition and if so, how.
Governance. Item 106(c) requires a public company to describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, the company should identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risk. Item 106(c) further requires a public company to escribe management’s role in assessing and managing the company’s material risks from cybersecurity threats. In providing such disclosure, a company should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
An instruction to Item 106(c) notes that in the case of a foreign private issuer with a two-tier board of directors, the term “board of directors” means the supervisory or non-management board. In the case of a foreign private issuer meeting the requirements of 17 CFR 240.10A-3(c)(3), the term “board of directors” means the issuer’s board of auditors (or similar body) or statutory auditors, as applicable. A second instruction to Item 106(c) notes that expertise of management in may include, for example, prior work experience in cybersecurity; any relevant degrees or certifications; and any knowledge, skills, or other background in cybersecurity.
In a departure from the proposed rules, the SEC is not requiring public companies to identify a board cybersecurity expert.
The Form 8-K and 6-K reporting requirement will take effect for cyber incidents occurring on or after December 18, 2023, though smaller reporting companies will have a delay until June 15, 2024. These dates may slip further if there is any undue delay in publishing the final rules in the Federal Register. The annual reporting requirement on Form 10-K or 20-F will take effect for fiscal years ending on or after December 15, 2023. Thus, annual reports published in 2024 will generally require the inclusion of the new Item 106 disclosure.
Updates to Policies and Procedures
Implicit in the new rules is the notion that information technology and information security professionals within a covered public company must have a greater role in SEC disclosure decisions. The SEC has already brought several enforcement actions against public companies for inadequate disclosure or inadequate disclosure controls and procedures involving cyber incidents, largely stemming from a breakdown in communication between IT/IS personnel and financial reporting personnel, such that key details or impacts of a cyber incident were incorrectly reported to investors. As public companies begin to prepare for the effectiveness of the new rules, they should also consider whether cyber incident response plans, disclosure committee charters, and other disclosure controls and procedures will require modification to ensure accurate reporting of material cyber events.