Filters
-
-
-
-
Professionals
Submit buttons for industry and practice area filtering
Publications
On July 26, 2023, the Securities and Exchange Commission (“SEC”) issued final rules (the “Final Rules”) aimed at enhancing and standardizing public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”). These Final Rules are effective September 5, 2023. A copy of the adopting release (the “Adopting Release”) can be found on the SEC website.
In March 2022, the SEC issued proposed rules (the “Proposed Rules”) intended to better inform investors about a company’s cybersecurity risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. In issuing the Proposed Rules, the SEC cited the increasing use of digital technology and electronic communications by businesses, as well as the potential costs that can arise from a material cybersecurity incident. After consideration of comments submitted during a two-month comment period, the SEC issued the Final Rules, which include several modifications to the Proposed Rules, as discussed below.
In general, the Final Rules, like the Proposed Rules, require current reporting about material cybersecurity incidents, as well as periodic reporting about a registrant’s processes to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity processes. However, the Final Rules add materiality qualifiers, narrow the scope of information that registrants would have been required to disclose under the Proposed Rules and modify the requirements to update information regarding previously reported incidents as set forth in the Proposed Rules.
The Final Rules modify the key definitions initially proposed to clarify that a “cybersecurity incident” extends to “a series of related unauthorized occurrences,” reflecting that cyberattacks sometimes compound over time, rather than present as a discrete event. They also clarify that the incident is “conducted through a company’s information systems” and involves “electronic” information resources. For purposes of the Final Rules, the following key definitions apply:
Proposed Rules included the following non-exclusive list of cybersecurity incident examples, which continue to provide helpful guidance:
The Final Rules add new Item 1.05 to Form 8-K, which requires a company to describe “the material aspects of the nature, scope, and timing of [a material cybersecurity] incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Item 1.05 disclosure is narrower than originally proposed and now focuses primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself, to avoid empowering threat actors with actionable information. Specifically, the Final Rules remove the requirement in the Proposed Rules for disclosure regarding whether the company has remediated or is currently remediating the incident. Instruction 4 to Item 1.05 specifically states that a registrant “need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
The Adopting Release states that the inclusion of “financial condition and results of operations” in the Final Rule is not exclusive; companies should consider qualitative factors (such as harm to a company’s reputation, customer or vendor relationships, or competitiveness) alongside quantitative factors in assessing the material impact of an incident.
While the Final Rules continue to require companies to disclose cybersecurity incidents on third party systems that they use, the Adopting Release states that the Final Rules do not require a company to conduct additional inquiries outside of its regular channels of communication with third-party service providers pursuant to those contracts and in accordance with a company’s disclosure controls and procedures.
Consistent with the Proposed Rules, the Final Rules provide that the Form 8-K disclosing a material cybersecurity incident generally must be filed within four business days of the company’s determination that such an incident had occurred. In the Adopting Release, the SEC acknowledges that whether a cybersecurity incident is material may not be immediately apparent upon discovery and thus, the triggering date is the date that the materiality determination is made by the company. However, while the Proposed Rules would have required a company to make such a determination “as soon as reasonably practicable after discovery of the incident,” the Final Rules require the company to make such a determination “without unreasonable delay.” Once a materiality determination has been made, an ongoing internal or external investigation related to the cybersecurity incident would not be grounds for a delay in reporting. However, the Final Rules, unlike the Proposed Rules, allow for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the U.S. Attorney General, who may take into consideration other Federal or other law enforcement agencies’ findings. In extraordinary circumstances, disclosure may be delayed for up to an additional 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing.
Lastly, although the information provided under Item 1.05 of Form 8-K is considered “filed” rather than “furnished” under the securities laws, the Final Rules provide that a failure to timely file a Form 8-K for Item 1.05 will not result in loss of Form S-3 or Form SF-3 eligibility. Similarly, Item 1.05 has been added to the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
The Proposed Rules would have added Item 106(d)(1) to Regulation S-K, which would have required registrants to disclose in their Forms 10-Q (and Form 10-K, for the fourth quarter) any material changes, additions or updates to cybersecurity incidents previously reported on Form 8-K, that occur during the covered period.
The Final Rules do not include proposed Item 106(d)(1) and instead include a new instruction that directs a registrant to file an amendment to its initial Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the required initial filing. The Form 8-K amendment must be filed within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available. Other than with respect to such previously undetermined or unavailable information, the Final Rules do not separately create or otherwise affect a registrant’s duty to update its prior statements.
In addition, the Final Rules do not include proposed Item 106(d)(2) to Regulation S-K that would have required companies to disclose previously undisclosed and immaterial cybersecurity incidents in the event that they become material in the aggregate due to concerns that the proposed aggregation requirement was too vague or difficult to apply.
The Final Rules add Item 106(b) to Regulation S-K, which requires a registrant to periodically disclose its “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” This differs from proposed Item 106(b) in that the Final Rule requires narrower disclosure than initially proposed to avoid disclosure of details beyond information that is material to investors. Item 106(b) requires a registrant to disclose “processes” rather than “policies and procedures” in order to avoid requiring disclosure of the kinds of operational details that could be weaponized by cybersecurity threat actors.
As adopted, Item 106(b) requires disclosure of the following:
In its Adopting Release, the SEC emphasizes that the above list composes a non-exclusive list of disclosures and a registrant should also disclose whatever information is necessary, based on its facts and circumstances, for a reasonable investor to understand its cybersecurity processes.
The Final Rules also add Item 106(b)(2) to Regulation S-K, which requires a description of “[w]hether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”
New Item 106(c) of Regulation S-K requires additional periodic disclosures related to board oversight of cybersecurity risks, as well as a description of management’s role in assessing and managing such risks. The Final Rules require less granular disclosure than the Proposed Rules.
Under the Final Rules, disclosures regarding board oversight include:
Under the Final Rules, disclosures relating to management’s role include:
The new disclosures under Item 106(b) and (c) are provided pursuant to a new Part I, Item 1.C of Form 10-K.
The Proposed Rules would have added a new section (j) under Item 407 of Regulation S-K that would have required companies to disclose the names of any directors with cybersecurity expertise and include descriptions of the nature of such expertise in their proxy statements or information statements in connection the election of directors, and in their Form 10-Ks.
The Final Rules do not include this new requirement. In the Adopting Release, the SEC stated that it was convinced that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise.
The Final Rules amend Form 20-F to add Item 16K, which requires a foreign private issuer to include in its annual report on Form 20-F the same type of disclosure that is required by Item 106 of Regulation S-K in periodic reports filed by a domestic registrant.
The Final Rules also amend the General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on that Form.
The information specified by Item 1.05 of Form 8-K and Item 106 of Regulation S-K must be provided in Inline eXtensible Business Reporting Language (Inline XBRL).
The Final Rules are effective on September 5, 2023. With respect to Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, companies must begin complying on December 18, 2023. For smaller reporting companies, the compliance date for Item 1.05 of Form 8-K begins on June 15, 2024.
With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the Final Rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
For additional information related to anything contained in this Client Alert, please contact one of the authors listed or any member of our Securities or Cybersecurity, Privacy, and Data Protection Practice Groups.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.