LawFlash

SEC Adopts Rules on Mandatory Cybersecurity Disclosures

August 01, 2023

The US Securities and Exchange Commission (SEC) adopted on July 26, 2023 final rules and amendments for mandating disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Forms 8-K, 6-K, 10-K, and 20-F. Under the new framework, public companies must report certain details of a cybersecurity incident within four days of determining such an incident is material and provide certain expanded standardized cybersecurity-related disclosures and assessments in annual reports.

Approved in a 3-2 vote, the new rules and amendments (the Final Rule) amend Regulation S-K, Regulation S-T, and certain provisions of the Securities Act of 1933, as amended (the Securities Act), and the Securities Exchange Act of 1934, as amended (the Exchange Act), by expanding and standardizing companies’ disclosures concerning cybersecurity risk management, strategy, governance, and incident reporting.

Following the promulgation of more informal principles-based interpretative guidance by the SEC in recent years, the Final Rule formalizes the SEC’s efforts to address its concerns regarding information asymmetry and under-disclosure around the cause, scope, impact, and materiality of cybersecurity incidents.

In summary, the Final Rule

  • adds a new Item 1.05 to Form 8-K requiring disclosure of material cybersecurity incidents; and
  • through revisions to Form 10-K and the addition of a new Item 106 to Regulation S-K, requires periodic disclosures regarding cybersecurity matters, namely
    • the processes employed by a company to assess, identify, and manage cybersecurity risks;
    • whether any cybersecurity risks have materially affected or are reasonably likely to materially affect a company’s business strategy, results of operations, or financial condition;
    • management’s role in assessing and managing material risks from cybersecurity threats; and
    • the board of directors’ oversight of cybersecurity risk.

The rules require comparable disclosures by foreign private issuers (FPIs) on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

The information required to be disclosed pursuant to the Final Rule must also be reported using Inline eXtensible Business Reporting Language (Inline XBRL), as further discussed below.

In a departure from the proposed cybersecurity disclosure mandates the agency released for comment on March 9, 2022 (the Proposed Rule), the SEC did not adopt controversial provisions that would have required disclosure of individual board members’ cybersecurity expertise, aggregation of immaterial cybersecurity incidents for materiality analyses, or updates on previously reported material cybersecurity incidents in periodic or annual reports.

SUMMARY OF THE FINAL RULE’S KEY PROVISIONS

Current Reporting of Cybersecurity Incidents on Form 8-K

Under the Final Rule, Form 8-K was amended to add a new Item 1.05, which requires companies to disclose information about a material cybersecurity incident within four business days, as is the case with all other Form 8-K items. While the requirement to report within four days may seem aggressive and potentially challenging when compared to other breach notification laws in the United States, which typically require reporting within 30 to 60 days, it is important to underscore that the triggering date for the Form 8-K filing is the date that the company concludes that a cybersecurity incident is material, not the date the event occurred or even the date the company became aware of it.

This approach recognizes the reality that following the occurrence of a cybersecurity incident, such as a compromise of a company’s information system and infrastructure, it is often necessary for the company to expend significant time and effort to discover, review, analyze, and assess the impact. At the time of the initial discovery of an incident, and for some time after that, very little is known about what has happened, and a materiality determination is likely to be difficult.

While the Final Rule does not impose a deadline for determining materiality, it does require that, following the discovery of an incident, companies determine the materiality of the incident through an informed and deliberative process “without unreasonable delay.” As a practical matter, this means that companies that have discovered an incident should promptly engage outside counsel, forensic cyber experts, and other appropriate service professionals to investigate the incident and determine facts necessary to make a materiality determination.

In narrowing the wide disclosure purview initially outlined in the Proposed Rule, the SEC stresses that the new Item 1.05 of Form 8-K requires disclosure primarily on the impacts of a material cybersecurity incident, rather than details regarding the incident itself. This revision seeks to balance investors’ information needs with the risk that provision of overly specific incident data may empower cyber attackers with knowledge that could facilitate additional nefarious activity.

Accordingly, and unlike the Proposed Rule’s suggestion, the new Item 1.05 of Form 8-K mandated by the Final Rule does not affirmatively require disclosure of technical information about an incident’s remediation status (e.g., whether it is ongoing or whether data were compromised) or “potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident,” though companies should take such factors into consideration in their materiality analysis.

Instead, the more streamlined Final Rule requires that, upon determining that a cybersecurity incident is material, a company more broadly describe:

  • the material aspects of the nature, scope, and timing of the incident, and
  • the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.

Companies can avail themselves of an extremely limited exception to the four-day deadline under the new Form 8-K requirement: disclosure may be delayed if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

Initially, disclosure may be delayed for a period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided, with an additional 30-day extension at the Attorney General’s discretion should there be a determination that disclosure continues to pose substantial national security or public safety risk. Only under extraordinary circumstances can that delay be extended beyond 60 days.

Of note, although the Proposed Rule would have required a company to provide updated disclosure in its Form 10-Q (or, for the fourth quarter, in its Form 10-K) relating to cybersecurity incidents previously reported on Form 8-K, the Final Rule instead directs registrants to include in their initial Item 1.05 Form 8-K filings a statement identifying any information required under Item 1.05 that is not yet determined or that is unavailable at the time of the required filing. Within four days of such missing information becoming available, the company should then file a Form 8-K amendment containing such information.

Disclosure under new Item 1.05 on Form 8-K will be deemed to be filed rather than furnished with the SEC for purposes of liability under Section 18 of the Exchange Act, and the Final Rule includes amendments to Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. In addition, the Final Rule amends the Form S-3 “safe harbor” provision to provide that a failure to file an Item 1.05 Form 8-K will not result in a loss of Form S-3 eligibility.

The Final Rule also includes a corresponding amendment to Form 6-K for FPIs to include material cybersecurity incidents as a reportable event under Form 6-K. However, for FPIs such information will be deemed to be furnished, not filed.

Materiality Assessment and Reasonable Investor Test

A key implication of the Final Rule is that companies should have processes in place to not only manage the risk of cybersecurity events, but to also assess the materiality of such events in short order upon occurrence. The Final Rule emphasizes the SEC’s expectation that a public company will be deliberate and diligent in considering materiality, and that such assessment will take into account both quantitative and qualitative factors while still ensuring timely disclosure under the form.

The Final Rule reiterated the standard definition of materiality (also cited in the Proposed Rule) that courts apply in federal securities law cases: information is material “if there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if a disclosure would “significantly alter[] the ‘total mix’ of information made available” to investors. TSC Indus. v. Northway, 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988). As the Final Rule notes, “materiality turns on how a reasonable investor would consider the incident’s impact on the [company].”

Many companies start their materiality assessments based on the likely financial outcomes, and the Final Rule underscores this, stating that “most [companies’] materiality analyses will include consideration of the financial impact of a cybersecurity incident.” The Final Rule also notes that “lack of quantifiable harm” does not equate to a lack of finding of materiality, stating that, for example, an incident that results in significant reputational harm may need to be disclosed “if the reputational harm is material.”

The Final Rule provides and references nonexhaustive examples of factors the SEC would expect companies to consider in making materiality assessments, many of which may be difficult to quantify:

  • Reputational damage (which is mentioned several times in the Final Rule);
  • Data theft;
  • Asset, intellectual property, or business value loss;
  • Harm to customer or vendor relationships;
  • Competitive harm; and
  • The possibility of litigation or regulatory investigation or actions.

Periodic Reporting of Cybersecurity Matters

The Final Rule explicitly mandates cybersecurity-related disclosure that companies are required to provide in their periodic filings. Through the creation of the new Item 106 of Regulation S-K, the Final Rule requires that a company, in its Form 10-K annual report,

  • describe its processes, if any, for the identification and management of risks from cybersecurity threats, including
    • whether such cybersecurity processes have been integrated into the company’s overall risk management system or processes;
    • whether the company engages third-party assessors, consultants, or auditors in connection with any such processes; and
    • whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service providers; and
  • provide disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing material cybersecurity risk and implementing the company’s cybersecurity policies, procedures, and strategies, including
    • whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members (in such detail as necessary to fully describe the nature of the expertise);
    • the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
    • whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Notably, new Item 106 of Regulation S-K requires a description of a company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes” and assess a company’s cybersecurity risk profile. However, the SEC clarifies that the Final Rule does not require an at-length description of a company’s specific “policies and procedures” or disclosure of the types of operational details that could be weaponized by threat actors.

The Final Rule also includes corresponding amendments to Form 20-F for FPIs to include similar periodic reporting disclosures.

Inline XBRL Requirements

As noted above, the Final Rule also includes the requirement for registrants to tag the information provided by Item 1.05 of Form 8-K and Item 106 of Regulation S-K in Inline XBRL, including the narrative disclosures in addition to quantitative information. The SEC noted that requiring the disclosure to be tagged in such a manner will allow the public and all interested parties to more easily extract and analyze information regarding cybersecurity events.

KEY CONSIDERATIONS

As adopted, the Final Rule imposes a variety of new and mandatory cybersecurity disclosure obligations for public companies. Although such disclosures must now become more standardized in response to the Final Rule, most companies will still need to assess how best to disclose their cybersecurity oversight and risk management processes in their periodic reports in light of their particular business operations and industries.

The SEC has made clear that these new disclosure requirements are nonexhaustive and fundamentally designed to ensure that companies “disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes” and associated risks when making investment decisions.

Furthermore, the current reporting obligation added to Form 8-K creates an additional disclosure requirement on a relatively short timeline should a company experience a material cybersecurity incident in the future. Companies will have to balance the need for robust disclosure under the Final Rule with other factors, including limited and potentially changing information about the incident, and the need to avoid disclosing information that might provide a roadmap or other insight to threat actors.

KEY COMPLIANCE DATES

The Final Rule becomes effective 30 days following publication of the adopting release in the Federal Register. Incident-specific disclosures under the Final Rule will be required in Forms 8-K and 6-K beginning either 90 days after the rule’s publication in the Federal Register or on December 18, 2023, whichever is later, though smaller reporting companies will have an extra 180 days before they must begin providing such disclosures.

With respect to annual disclosures on cybersecurity risk management, strategy, and governance, all public companies with fiscal years ending on or after December 15, 2023 must provide such disclosures beginning with their 2023 Form 10-K or 20-F. While the Final Rule is not effective immediately, public companies should keep in mind that the Division of Enforcement has been and continues to be focused on cybersecurity disclosures, and as such companies should ensure that they have robust disclosure controls and processes in place now to withstand any scrutiny should a breach occur.

NEXT STEPS

In light of the Final Rule and the SEC’s increased focus on cybersecurity risk management generally, it is important for companies to take proactive steps now to address cybersecurity issues in anticipation of these new disclosure requirements. Specifically, public companies should consider the following:

  • Review, assess, and update existing cybersecurity-related policies and procedures. It is critical for management to assess and analyze existing policies, procedures, and control processes to ensure that they provide effective protection against cybersecurity breaches and identify gaps that should be remediated. Management may want to consider additional measures and actions to enhance the company’s cybersecurity infrastructure, including expanding the information technology team with the relevant expertise and qualifications in cybersecurity management and providing relevant training and support to personnel who are responsible for cybersecurity matters. For those companies that have not adopted formal policies and procedures, management should consult with internal and external personnel and experts to design and implement optimal cybersecurity policies and procedures.
  • Review and assess corporate governance structure. The board of directors, with the assistance of management, should review and assess the company’s current governance structure and risk management framework to identify areas of focus and improvement. For example, the board may consider establishing a dedicated committee to oversee and manage cybersecurity risks, with the authority to require regular reports and analysis on cybersecurity issues from management. The governance structure should permit open and timely communications to board members and ensure that critical decisions concerning cybersecurity issues can be made at the highest level of the company.
  • Review and implement disclosure control procedures. Companies should review existing disclosure control procedures and consider implementing additional processes to ensure that cybersecurity incidents can be identified and communicated quickly to appropriate personnel who can make disclosure decisions to mitigate enforcement risk in the event of delayed disclosure. This may involve building a new or more effective communications channel between the company’s information technology department and the financial reporting team or disclosure committee. This is particularly important in light of the new Form 8-K requirements that effectively mandate that companies establish a process by which cybersecurity incident materiality analyses can be performed without delay and, if needed, material cybersecurity incidents may quickly be disclosed to the public through filing with the SEC.
  • Consider the Final Rule in assessing whether to make disclosures prior to the effective dates. Notwithstanding the lag time between the release of the Final Rule and the effective dates, we urge companies to consider the principles and underlying policy considerations of the Final Rule. In particular, companies should evaluate the Final Rule’s framework in determining whether to disclose a material cyber event on a Form 8-K prior to the effective date. As discussed above, a materiality analysis would include both quantitative and qualitative assessments of the likelihood of, and potential magnitude of, loss. Additionally, companies seeking to access the capital markets should consider that the Final Rule reiterates SEC guidance from 2018 that “[c]ompanies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements.”

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: