On July 26, 2023, the Securities and Exchange Commission (“SEC”) issued final rules (the “Final Rules”) aimed at enhancing and standardizing public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”). These Final Rules are effective September 5, 2023. A copy of the adopting release (the “Adopting Release”) can be found on the SEC website.

Overview

In March 2022, the SEC issued proposed rules (the “Proposed Rules”) intended to better inform investors about a company’s cybersecurity risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. In issuing the Proposed Rules, the SEC cited the increasing use of digital technology and electronic communications by businesses, as well as the potential costs that can arise from a material cybersecurity incident. After consideration of comments submitted during a two-month comment period, the SEC issued the Final Rules, which include several modifications to the Proposed Rules, as discussed below.

In general, the Final Rules, like the Proposed Rules, require current reporting about material cybersecurity incidents, as well as periodic reporting about a registrant’s processes to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity processes. However, the Final Rules add materiality qualifiers, narrow the scope of information that registrants would have been required to disclose under the Proposed Rules and modify the requirements to update information regarding previously reported incidents as set forth in the Proposed Rules.

Key Definitions

The Final Rules modify the key definitions initially proposed to clarify that a “cybersecurity incident” extends to “a series of related unauthorized occurrences,” reflecting that cyberattacks sometimes compound over time, rather than present as a discrete event. They also clarify that the incident is “conducted through a company’s information systems” and involves “electronic” information resources. For purposes of the Final Rules, the following key definitions apply:

• “Cybersecurity incident” is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
• “Cybersecurity threat” is defined as “any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.”
• “Information systems” is defined as “electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.”

Proposed Rules included the following non-exclusive list of cybersecurity incident examples, which continue to provide helpful guidance:

• An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system or network), or violated a company’s security policies or procedures;
• An unauthorized incident that caused degradation, interruption, loss of control, damage to or loss of operational technology systems;
• An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or stole sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company;
• An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
• An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

Disclosure of Cybersecurity Incidents on Form 8-K

The Final Rules add new Item 1.05 to Form 8-K, which requires a company to describe “the material aspects of the nature, scope, and timing of [a material cybersecurity] incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Item 1.05 disclosure is narrower than originally proposed and now focuses primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself, to avoid empowering threat actors with actionable information. Specifically, the Final Rules remove the requirement in the Proposed Rules for disclosure regarding whether the company has remediated or is currently remediating the incident. Instruction 4 to Item 1.05 specifically states that a registrant “need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

The Adopting Release states that the inclusion of “financial condition and results of operations” in the Final Rule is not exclusive; companies should consider qualitative factors (such as harm to a company’s reputation, customer or vendor relationships, or competitiveness) alongside quantitative factors in assessing the material impact of an incident.

While the Final Rules continue to require companies to disclose cybersecurity incidents on third party systems that they use, the Adopting Release states that the Final Rules do not require a company to conduct additional inquiries outside of its regular channels of communication with third-party service providers pursuant to those contracts and in accordance with a company’s disclosure controls and procedures.

Consistent with the Proposed Rules, the Final Rules provide that the Form 8-K disclosing a material cybersecurity incident generally must be filed within four business days of the company’s determination that such an incident had occurred. In the Adopting Release, the SEC acknowledges that whether a cybersecurity incident is material may not be immediately apparent upon discovery and thus, the triggering date is the date that the materiality determination is made by the company. However, while the Proposed Rules would have required a company to make such a determination “as soon as reasonably practicable after discovery of the incident,” the Final Rules require the company to make such a determination “without unreasonable delay.” Once a materiality determination has been made, an ongoing internal or external investigation related to the cybersecurity incident would not be grounds for a delay in reporting. However, the Final Rules, unlike the Proposed Rules, allow for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the U.S. Attorney General, who may take into consideration other Federal or other law enforcement agencies’ findings. In extraordinary circumstances, disclosure may be delayed for up to an additional 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing.

Lastly, although the information provided under Item 1.05 of Form 8-K is considered “filed” rather than “furnished” under the securities laws, the Final Rules provide that a failure to timely file a Form 8-K for Item 1.05 will not result in loss of Form S-3 or Form SF-3 eligibility. Similarly, Item 1.05 has been added to the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.

Amendments to Forms 10-Q/10-K

The Proposed Rules would have added Item 106(d)(1) to Regulation S-K, which would have required registrants to disclose in their Forms 10-Q (and Form 10-K, for the fourth quarter) any material changes, additions or updates to cybersecurity incidents previously reported on Form 8-K, that occur during the covered period.

The Final Rules do not include proposed Item 106(d)(1) and instead include a new instruction that directs a registrant to file an amendment to its initial Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the required initial filing. The Form 8-K amendment must be filed within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available. Other than with respect to such previously undetermined or unavailable information, the Final Rules do not separately create or otherwise affect a registrant’s duty to update its prior statements.

In addition, the Final Rules do not include proposed Item 106(d)(2) to Regulation S-K that would have required companies to disclose previously undisclosed and immaterial cybersecurity incidents in the event that they become material in the aggregate due to concerns that the proposed aggregation requirement was too vague or difficult to apply.

Disclosure of Cybersecurity Policies and Procedures – Item 106(b)

The Final Rules add Item 106(b) to Regulation S-K, which requires a registrant to periodically disclose its “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” This differs from proposed Item 106(b) in that the Final Rule requires narrower disclosure than initially proposed to avoid disclosure of details beyond information that is material to investors. Item 106(b) requires a registrant to disclose “processes” rather than “policies and procedures” in order to avoid requiring disclosure of the kinds of operational details that could be weaponized by cybersecurity threat actors.

As adopted, Item 106(b) requires disclosure of the following:

• Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes;
• Whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes; and
• Whether the registrant has policies and procedures to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

In its Adopting Release, the SEC emphasizes that the above list composes a non-exclusive list of disclosures and a registrant should also disclose whatever information is necessary, based on its facts and circumstances, for a reasonable investor to understand its cybersecurity processes.

The Final Rules also add Item 106(b)(2) to Regulation S-K, which requires a description of “[w]hether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”

Disclosure of Cybersecurity Governance and Oversight – Item 106(c)

New Item 106(c) of Regulation S-K requires additional periodic disclosures related to board oversight of cybersecurity risks, as well as a description of management’s role in assessing and managing such risks. The Final Rules require less granular disclosure than the Proposed Rules.

Under the Final Rules, disclosures regarding board oversight include:

• Description of the board’s oversight of risks from cybersecurity threats; and
• If applicable, identification of any board committee or subcommittee responsible for such oversight and a description of the processes by which the board or such committee is informed about such risks.

Under the Final Rules, disclosures relating to management’s role include:

• Whether and which certain management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

The new disclosures under Item 106(b) and (c) are provided pursuant to a new Part I, Item 1.C of Form 10-K.

Board of Directors’ Cybersecurity Expertise – Item 407(j)

The Proposed Rules would have added a new section (j) under Item 407 of Regulation S-K that would have required companies to disclose the names of any directors with cybersecurity expertise and include descriptions of the nature of such expertise in their proxy statements or information statements in connection the election of directors, and in their Form 10-Ks.

The Final Rules do not include this new requirement. In the Adopting Release, the SEC stated that it was convinced that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise.

Foreign Private Issuer Disclosure

The Final Rules amend Form 20-F to add Item 16K, which requires a foreign private issuer to include in its annual report on Form 20-F the same type of disclosure that is required by Item 106 of Regulation S-K in periodic reports filed by a domestic registrant.

The Final Rules also amend the General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on that Form.

Structured Data Requirements

The information specified by Item 1.05 of Form 8-K and Item 106 of Regulation S-K must be provided in Inline eXtensible Business Reporting Language (Inline XBRL).

Effective and Compliance Dates

The Final Rules are effective on September 5, 2023. With respect to Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.

With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, companies must begin complying on December 18, 2023. For smaller reporting companies, the compliance date for Item 1.05 of Form 8-K begins on June 15, 2024.

With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the Final Rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:

• For Item 106 of Regulation S–K and item 16K of Form 20–F, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024; and
• For Item 1.05 of Form 8–K and Form 6–K all registrants must begin tagging responsive disclosure in Inline XBRL beginning on December 18, 2024.

For additional information related to anything contained in this Client Alert, please contact one of the authors listed or any member of our Securities or Cybersecurity, Privacy, and Data Protection Practice Groups.