SEC Adopts Final Rules Requiring Current and Annual Cybersecurity Disclosures
Tuesday, August 1, 2023
SEC on the drawing board again

On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted final rules regarding cybersecurity disclosure that should be of interest to every public company. The new rules are intended to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.” The SEC’s final cybersecurity rules consist of current disclosure of material cybersecurity incidents under new Item 1.05 of Form 8-K or on Form 6-K and annual disclosure of a registrant’s cybersecurity risk management and strategy and cybersecurity governance in annual reports on Form 10-K or 20-F pursuant to the disclosure requirements of new Item 106 of Regulation S-K. The final rules and highlights from the SEC’s adopting release are summarized with commentary on next steps below. Redlines reflecting the differences between the proposed and final rules applicable to domestic issuers under Item 1.05 of Form 8-K and Item 106 of Regulation S-K appear as Annexes A and B, respectively.

Overview

Current Disclosure of Material Cybersecurity Incidents (Item 1.05 of Form 8-K)

  • Within four business days of determining a cybersecurity incident was material, a registrant must disclose the material aspects of the incident’s nature, scope, and timing, and material impact or reasonably likely material impact on the registrant, including on its financial condition and results of operation.

  • A registrant may delay filing if the US Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.

Annual Disclosure of Cybersecurity Risk Management and Strategy (Item 106(b) of Reg. S-K)

  • Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

Annual Disclosure of Cybersecurity Governance (Item 106(c) of Reg. S-K)

  • Registrants must describe the board’s oversight of risks from cybersecurity threats and describe management’s role in assessing and managing material risks from cybersecurity threats.

Highlights from SEC’s Adopting Release

Disclosure of Material Cybersecurity Incidents — New Item 1.05 of Form 8-K

  • Incident Disclosure Requirement. If a registrant experiences a cybersecurity incident that it determines is material (which determination should be made “without unreasonable delay” following discovery), new Item 1.05 of Form 8-K will require the registrant to describe the material aspects of the incident’s nature, scope, and timing and its material impact or reasonably likely material impact, including on its financial condition and results of operations. The SEC streamlined Item 1.05 from the proposed rules to focus a registrant’s disclosure primarily on the impacts of a material cybersecurity incident rather than on details regarding the incident itself.

  • Materiality Determination. The materiality determination utilizes the typical securities law definition of materiality, meaning information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available. The SEC noted that the inclusion of “financial condition and results of operations” is not meant to be exclusive, and companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. The SEC gave examples of a material impact or reasonably likely material impact on a company: harm to a company’s reputation, customer or vendor relationships, or competitiveness; possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities. Notably, the SEC declined to use a quantifiable trigger for Item 1.05, stating some incidents may be material without crossing a financial threshold.

  • Determination “Without Unreasonable Delay.” The SEC explained that requiring the materiality determination “without unreasonable delay” is intended to provide registrants notice that although the determination does not need to be prematurely rushed, it cannot be unreasonably delayed in an effort to avoid timely disclosure. This could result in the need to make disclosure determinations before a company even determines the full extent of an incident. The SEC noted that “adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance” with this requirement.

  • No Required Disclosure of Incident Remediation and Incident Response. The SEC did not adopt a requirement for disclosure regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised. Similarly, the SEC added an instruction to Item 1.05 to provide that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

  • Series of Related Incidents. “Cybersecurity incident” includes “a series of related unauthorized occurrences.” When a registrant finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be allocated among the multiple intrusions to render each by itself immaterial. The SEC provided the example of a malicious actor engaging, against the same company, in several smaller, continuous cyberattacks related in time and form that are collectively quantitatively or qualitatively material such that Item 1.05 disclosure would be required. In another example, a series of related attacks by multiple actors that exploit the same company’s vulnerability and that collectively and materially impede the company’s business would also trigger Item 1.05 disclosure.

  • Incidents on Third-Party Systems. Registrants should keep in mind that cybersecurity incidents on a third-party system may trigger disclosure. A company should disclose information based on what is available to it and is generally not required to conduct additional inquiries outside of its regular channels of communication with such third-party service providers pursuant to its contracts with them and in accordance with the registrants’ disclosure controls and procedures, consistent with the SEC’s existing rules regarding the disclosure of information that is difficult to obtain.

  • Filing Timing and Delays. The Item 1.05 Form 8-K must generally be filed within four business days of the determination that the company has experienced a material cybersecurity incident. However, filing delays may occur if the US Attorney General determines that immediate disclosure will pose a substantial risk to national security or public safety and provides its written opinion to the SEC. The disclosure can be delayed by up to 30 days after the date disclosure would have been required under Item 1.05. This may be extended for an additional period of up to 30 days if the Attorney General determines disclosure continues to pose such substantial risk, and in extraordinary circumstances, for up to an additional 60 days (i.e., a total of up to 120 days plus the initial four business days after the materiality determination). Beyond the final 60-day period, the SEC will consider additional requests for delay and may grant such relief through exemptive order.

  • Requests for Filing Delays. The adopting release is not clear about how a company would request a filing delay from the Attorney General’s office, and the US Department of Justice (DOJ) has not yet established procedures for issuers to request delayed disclosure. Commenters indicated that obtaining such approval within four business days would be practically impossible, as Commissioner Peirce noted as one of her concerns in her dissenting statement. However, the SEC noted it had consulted with the DOJ to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the SEC in a timely manner, and the DOJ would be responsible for notifying companies that the communication had been made to the SEC (so that the company knows it can delay filing the 8-K). The SEC also noted that the final rules do not preclude other federal agencies and nonfederal law enforcement agencies from requesting that the Attorney General determine the disclosure poses a substantial risk.

  • Requirement to Update Disclosure. If information required in Item 1.05(a) is not determined or is unavailable at the time of the required filing, the registrant must include a statement to this effect in its filing and file an amendment to its Form 8-K within four business day after such information becomes available or is determined. The SEC explained that other than with respect to such previously undetermined or unavailable information, the final rules do not separately create or otherwise affect a registrant’s duty to update its prior statements, although registrants should be mindful of existing obligations to correct prior disclosure that the registrant later determines to be untrue at the time it was made, to update prior disclosure that omitted a material fact necessary to make the disclosure not misleading at the time it was made, and to update prior disclosure that becomes materially inaccurate after it was made.

  • Filed, Not Furnished. Disclosure under Item 1.05 will be filed and not furnished on Form 8-K. Accordingly, registrants are subject to liability under Section 18 of the Securities Exchange Act of 1934 for such disclosure.

  • No Loss of S-3 Eligibility. Item 1.05 is added to the list of Form 8-K items in General Instruction I.A.3.(b) of Form S-3, which means that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.

  • Limited Safe Harbor on Liability. The SEC adopted amendments to Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act because the triggering event for the Form 8-K requires management to make a rapid materiality determination.

  • Conflicts with Other Federal Laws and Regulations. The final rule release reflects on concerns raised about conflicts with other federal laws and regulations. One conflict the release identifies is the Federal Communications Commission’s notification rule for breaches of customer proprietary network information. Paragraph (d) to Item 1.05 was added to accommodate registrants subject to this requirement.

The SEC also considered, among others, the conflicts commenters alleged with Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Commenters stated that Item 1.05 is at odds with the goals of CIRCIA and that it may conflict with forthcoming regulations from the Cybersecurity and Infrastructure Security Agency (CISA). The SEC responded that while CISA has yet to propose regulations to implement CIRCIA, given the statutory authority, text, and legislative history of CIRCIA, it appears unlikely the regulations would affect the balance of material information available to investors about public companies because the reporting regime CIRCIA establishes is confidential.

Disclosure of Cybersecurity Risk Management and Strategy — New Regulation S-K Item 106(b)

  • Disclosure of Processes for Assessing, Identifying, and Managing Cyber Risks. New Regulation S-K Item 106(b) will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, considering the below nonexclusive list of disclosure items:

  • Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes

  • Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes

  • Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider

  • Meaning of “Processes”; Cybersecurity Risk Profile. The SEC noted that the change from “policies and procedures” in the proposed rule to “processes” in the final rule is intended to avoid requiring disclosure of the kinds of details that could be weaponized by cyber threat actors. However, the SEC still expects the disclosure to allow investors to ascertain a registrant’s cybersecurity practices, such as whether they have a risk assessment program in place, with sufficient detail for investors to understand the registrant’s cybersecurity risk profile.

  • Risk Disclosure. Item 106(b) also requires that registrants describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition, and if so, how. The SEC added a materiality qualifier and removed the proposed list of risk types in the final rule.

  • Disclosure of Engagement of Third Parties. The final rules will require disclosure of whether a registrant engages assessors, consultants, auditors, or other third parties in connection with their cybersecurity processes, although naming the third party or including a description of the third party’s services is not required.

  • Certain Proposed Disclosure Elements Not Required. The SEC did not adopt previously proposed disclosure elements regarding the registrant’s prevention and detection activities, continuity and recovery plans, and previous incidents.

  • Certain Suggestions Not Adopted. The SEC did not include risk quantification or other quantifiable metrics as mandatory elements of a cybersecurity disclosure framework (although to the extent that a registrant uses any quantitative metrics in assessing or managing cybersecurity risks, it may disclose such information voluntarily) and did not require disclosure of independent assessments and audits or disclosure of use of the National Institute of Standards and Technology framework, and on distinguishing between continuous and periodic risk assessment.

Disclosure Regarding Cybersecurity Governance — New Regulation S-K Item 106(c)

  • Board Oversight and Management Role and Expertise. New Item 106(c) will require registrants to describe (1) the board of directors’ oversight of risks from cybersecurity threats and (2) management’s role and expertise in assessing and managing material risks from cybersecurity threats.

The final rule requires registrants to identify, if applicable, any board committee or subcommittee responsible for the oversight of risk from cybersecurity threats and to describe the processes by which the board or such committee is informed about such risks. As noted below, while the SEC did not adopt the proposed disclosure on board cybersecurity expertise, the final rules do require disclosure of management expertise. The SEC also explained that to the extent a registrant has determined that board-level expertise is a “necessary component” of the company’s cybersecurity risk management, the registrant may provide such disclosure under Item 106.

Registrants are to consider disclosure from the following nonexclusive list as part of a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats:

    • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise

    • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents

    • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors

  • Frequency of Board Communications with Management. The SEC noted that although the requirement to disclose the frequency of the board or committee’s discussions on cybersecurity and management–board discussions on cybersecurity is not required by the final rules, it may be appropriate in context for some registrants to include in describing the processes by which their board or relevant committee is informed about cybersecurity risks.

  • Disclosure of Management Position with Responsibility for Cybersecurity. The SEC also explained that typically registrants would identify whether they have a chief information security officer (CISO) or someone in a comparable position identifying whether and which management positions are responsible for assessing and managing material cybersecurity risks, although the SEC is not separately requiring registrants to disclose whether they have a designated CISO.

Applicability to Foreign Private Issuers

The SEC has also established disclosure requirements for foreign private issuers parallel to those adopted for domestic registrants in Regulation S-K Items 106 and Item 1.05 of Form 8-K by adopting amendments to Form 20-F and Form 6-K.

Effective Date and Compliance Deadlines

The final rules will become effective 30 days following publication of the adopting release in the Federal Register.

All Companies That Are Not Smaller Reporting Companies

With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, companies that are not smaller reporting companies (SRCs) must begin complying on the later of December 18, 2023, or 90 days after the date of publication of the final rules in the Federal Register

With respect to Item 106 of Regulation S-K, all registrants must provide such disclosures beginning with annual reports on Form 10-K or Form 20-F for fiscal years ending on or after December 15, 2023. Accordingly, calendar year-end companies will be required to comply with the new rules in their upcoming Form 10-Ks or Form 20-Fs for fiscal year 2023.

Smaller Reporting Companies

SRCs are not exempt from these disclosures; however, SRCs have a longer transition period before compliance with new Item 1.05 of Form 8-K is required. SRCs must begin complying with Item 1.05 of Form 8-K on the later of June 15, 2024, or 270 days after the date of publication of the final rules in the Federal Register.

The SEC did not provide for an additional compliance period for Item 106 of Regulation S-K, noting that the “information is factual in nature regarding a registrant’s existing cybersecurity strategy, risk management, and governance, and so should be readily available to those companies to assess for purposes of preparing disclosure.” Accordingly, calendar year-end SRCs will be required to comply with the new rules in their upcoming Form 10-Ks for fiscal year 2023.

Staggered XBRL Deadlines

The new current and periodic disclosures must be tagged in Inline XBRL. With respect to compliance with the XBRL tagging requirements, the SEC is staggering disclosure such that all registrants (including SRCs) must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with each respective disclosure requirement.

Exempt Issuers

Asset-Backed Issuers

The SEC has exempted asset-backed security issuers from these disclosure requirements. The SEC does not believe compliance would result in meaningful disclosure since “asset-backed issuers are typically special purpose vehicles whose activities are limited to receiving or purchasing, and transferring or selling, assets to an issuing entity and, accordingly, do not own or use information systems, whereas the final rules are premised on an issuer’s ownership or use of information systems.” However, the SEC also noted that it may consider adopting cybersecurity disclosure rules specific to asset-backed securities at a later date.

What’s Not Included

No Disclosure of Board of Directors’ Cybersecurity Expertise

Persuaded by comments that effective cybersecurity processes are designed and implemented primarily by management, the SEC determined not to require disclosure of a registrant’s board of directors’ cybersecurity expertise under a new Item 407(j) of Regulation S-K. The SEC also explained that directors with nonspecific skills in risk management and strategy are able to successfully oversee management efforts without specific subject matter expertise on other technical matters such that requiring disclosure would not necessarily benefit investors.

No Periodic Updated Incident Disclosures

The SEC did not adopt a proposed rule that would have required periodic updates on Forms 10-Q and 10-K of any material changes, additions, or updates to a prior disclosure under Item 1.05 of Form 8-K. The final rules also omit the proposed aggregation of previously undisclosed immaterial incidents that became material in the aggregate (and related additional line-item disclosures) in periodic reports (but see discussion above that the definition of “cybersecurity incident” now includes “a series of related unauthorized occurrences”).

No Exemptions for Smaller Reporting Companies or Emergency Growth Companies

SRCs are not exempt from any of the new disclosures, as the SEC believes its streamlining efforts in the final rules will alleviate some of the additional compliance costs on smaller companies imposed by the new rules. However, SRCs may take advantage of a delayed compliance deadline with respect to Item 1.05 disclosures on Form 8-K (discussed below). Emerging growth companies (EGCs) are not exempt from any of the new disclosures and have no special compliance delays. The SEC acknowledged that although many EGCs are small entities, many are not, and it declined to exempt EGCs from the new disclosure requirements.

No Specialized Disclosures for Specific Industries

Although the SEC received a number of comments alleging that the proposed rules conflicted with regulations and programs of various industries, as well as existing federal and state laws and regulatory regimes, the SEC declined to require specialized disclosures for any particular industries or exempt issuers in these industries from complying with the new rules.

Things to Do Now

Given the short compliance timeline, companies should continue to work on, or begin preparing for, compliance with these new disclosure requirements with the assistance of legal counsel, including the following:

  • Reviewing, updating, and testing, as necessary, internal policies, including cybersecurity and information technology policies and incident response plans

  • Revisiting internal disclosure controls and procedures and any other disclosure policies to, among other things and as applicable:

    • Address “materiality” determinations with respect to cybersecurity issues.

    • Incorporate the new Form 8-K trigger and related communication mechanisms within the company to be prepared to address the new Form 8-K disclosure requirements in a timely manner.

    • Broaden membership of any disclosure committee to include the CISO or other members of management in comparable positions.

  • Communicating these new rules and related internal policy updates to board members and management responsible for cybersecurity oversight

    • If no committee of the board has already been delegated responsibility for cybersecurity oversight, companies should consider specifically delegating this duty to an existing standing committee in its charter or should create a new committee or subcommittee with responsibility for cybersecurity oversight, as needed.

  • Drafting preliminary Form 10-K or Form 20-F disclosures related to cybersecurity risk management, strategy, and governance, which will include assessing board reporting structures and obtaining information regarding relevant expertise of management, and conforming other public disclosure, including any existing Form 10-K, Form 10-Q, or Form 20-F risk factor disclosure and any disclosure in proxy statements and environmental, social, and governance reports, among others

  • Reviewing and revising, as necessary, third-party service contracts and regularly communicating with service providers about procedures regarding material data security incidents

    • This review should include information technology service providers, whose contracts ordinarily contain provisions regarding whether and when they are required to report a cybersecurity incident to their customers.

    • Registrants should also consider conducting cybersecurity risk assessments of third-party service providers to ensure that the providers are timely providing sufficient information to enable registrants to evaluate cyber incidents.

  • Reviewing potential timing concerns and implications for any state breach notification laws that may not be implicated until after disclosure is required on Form 8-K

 

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins