The US Securities and Exchange Commission (SEC) adopted on July 26, 2023 final rules and amendments for mandating disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Forms 8-K, 6-K, 10-K, and 20-F. Under the new framework, public companies must report certain details of a cybersecurity incident within four days of determining such an incident is material and provide certain expanded standardized cybersecurity-related disclosures and assessments in annual reports.
Approved in a 3-2 vote, the new rules and amendments (the Final Rule) amend Regulation S-K, Regulation S-T, and certain provisions of the Securities Act of 1933, as amended (the Securities Act), and the Securities Exchange Act of 1934, as amended (the Exchange Act), by expanding and standardizing companies’ disclosures concerning cybersecurity risk management, strategy, governance, and incident reporting.
Following the promulgation of more informal principles-based interpretative guidance by the SEC in recent years, the Final Rule formalizes the SEC’s efforts to address its concerns regarding information asymmetry and under-disclosure around the cause, scope, impact, and materiality of cybersecurity incidents.
In summary, the Final Rule
The rules require comparable disclosures by foreign private issuers (FPIs) on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
The information required to be disclosed pursuant to the Final Rule must also be reported using Inline eXtensible Business Reporting Language (Inline XBRL), as further discussed below.
In a departure from the proposed cybersecurity disclosure mandates the agency released for comment on March 9, 2022 (the Proposed Rule), the SEC did not adopt controversial provisions that would have required disclosure of individual board members’ cybersecurity expertise, aggregation of immaterial cybersecurity incidents for materiality analyses, or updates on previously reported material cybersecurity incidents in periodic or annual reports.
Current Reporting of Cybersecurity Incidents on Form 8-K
Under the Final Rule, Form 8-K was amended to add a new Item 1.05, which requires companies to disclose information about a material cybersecurity incident within four business days, as is the case with all other Form 8-K items. While the requirement to report within four days may seem aggressive and potentially challenging when compared to other breach notification laws in the United States, which typically require reporting within 30 to 60 days, it is important to underscore that the triggering date for the Form 8-K filing is the date that the company concludes that a cybersecurity incident is material, not the date the event occurred or even the date the company became aware of it.
This approach recognizes the reality that following the occurrence of a cybersecurity incident, such as a compromise of a company’s information system and infrastructure, it is often necessary for the company to expend significant time and effort to discover, review, analyze, and assess the impact. At the time of the initial discovery of an incident, and for some time after that, very little is known about what has happened, and a materiality determination is likely to be difficult.
While the Final Rule does not impose a deadline for determining materiality, it does require that, following the discovery of an incident, companies determine the materiality of the incident through an informed and deliberative process “without unreasonable delay.” As a practical matter, this means that companies that have discovered an incident should promptly engage outside counsel, forensic cyber experts, and other appropriate service professionals to investigate the incident and determine facts necessary to make a materiality determination.
In narrowing the wide disclosure purview initially outlined in the Proposed Rule, the SEC stresses that the new Item 1.05 of Form 8-K requires disclosure primarily on the impacts of a material cybersecurity incident, rather than details regarding the incident itself. This revision seeks to balance investors’ information needs with the risk that provision of overly specific incident data may empower cyber attackers with knowledge that could facilitate additional nefarious activity.
Accordingly, and unlike the Proposed Rule’s suggestion, the new Item 1.05 of Form 8-K mandated by the Final Rule does not affirmatively require disclosure of technical information about an incident’s remediation status (e.g., whether it is ongoing or whether data were compromised) or “potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident,” though companies should take such factors into consideration in their materiality analysis.
Instead, the more streamlined Final Rule requires that, upon determining that a cybersecurity incident is material, a company more broadly describe:
Companies can avail themselves of an extremely limited exception to the four-day deadline under the new Form 8-K requirement: disclosure may be delayed if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
Initially, disclosure may be delayed for a period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided, with an additional 30-day extension at the Attorney General’s discretion should there be a determination that disclosure continues to pose substantial national security or public safety risk. Only under extraordinary circumstances can that delay be extended beyond 60 days.
Of note, although the Proposed Rule would have required a company to provide updated disclosure in its Form 10-Q (or, for the fourth quarter, in its Form 10-K) relating to cybersecurity incidents previously reported on Form 8-K, the Final Rule instead directs registrants to include in their initial Item 1.05 Form 8-K filings a statement identifying any information required under Item 1.05 that is not yet determined or that is unavailable at the time of the required filing. Within four days of such missing information becoming available, the company should then file a Form 8-K amendment containing such information.
Disclosure under new Item 1.05 on Form 8-K will be deemed to be filed rather than furnished with the SEC for purposes of liability under Section 18 of the Exchange Act, and the Final Rule includes amendments to Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. In addition, the Final Rule amends the Form S-3 “safe harbor” provision to provide that a failure to file an Item 1.05 Form 8-K will not result in a loss of Form S-3 eligibility.
The Final Rule also includes a corresponding amendment to Form 6-K for FPIs to include material cybersecurity incidents as a reportable event under Form 6-K. However, for FPIs such information will be deemed to be furnished, not filed.
Materiality Assessment and Reasonable Investor Test
A key implication of the Final Rule is that companies should have processes in place to not only manage the risk of cybersecurity events, but to also assess the materiality of such events in short order upon occurrence. The Final Rule emphasizes the SEC’s expectation that a public company will be deliberate and diligent in considering materiality, and that such assessment will take into account both quantitative and qualitative factors while still ensuring timely disclosure under the form.
The Final Rule reiterated the standard definition of materiality (also cited in the Proposed Rule) that courts apply in federal securities law cases: information is material “if there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if a disclosure would “significantly alter[] the ‘total mix’ of information made available” to investors. TSC Indus. v. Northway, 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988). As the Final Rule notes, “materiality turns on how a reasonable investor would consider the incident’s impact on the [company].”
Many companies start their materiality assessments based on the likely financial outcomes, and the Final Rule underscores this, stating that “most [companies’] materiality analyses will include consideration of the financial impact of a cybersecurity incident.” The Final Rule also notes that “lack of quantifiable harm” does not equate to a lack of finding of materiality, stating that, for example, an incident that results in significant reputational harm may need to be disclosed “if the reputational harm is material.”
The Final Rule provides and references nonexhaustive examples of factors the SEC would expect companies to consider in making materiality assessments, many of which may be difficult to quantify:
Periodic Reporting of Cybersecurity Matters
The Final Rule explicitly mandates cybersecurity-related disclosure that companies are required to provide in their periodic filings. Through the creation of the new Item 106 of Regulation S-K, the Final Rule requires that a company, in its Form 10-K annual report,
Notably, new Item 106 of Regulation S-K requires a description of a company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes” and assess a company’s cybersecurity risk profile. However, the SEC clarifies that the Final Rule does not require an at-length description of a company’s specific “policies and procedures” or disclosure of the types of operational details that could be weaponized by threat actors.
The Final Rule also includes corresponding amendments to Form 20-F for FPIs to include similar periodic reporting disclosures.
Inline XBRL Requirements
As noted above, the Final Rule also includes the requirement for registrants to tag the information provided by Item 1.05 of Form 8-K and Item 106 of Regulation S-K in Inline XBRL, including the narrative disclosures in addition to quantitative information. The SEC noted that requiring the disclosure to be tagged in such a manner will allow the public and all interested parties to more easily extract and analyze information regarding cybersecurity events.
As adopted, the Final Rule imposes a variety of new and mandatory cybersecurity disclosure obligations for public companies. Although such disclosures must now become more standardized in response to the Final Rule, most companies will still need to assess how best to disclose their cybersecurity oversight and risk management processes in their periodic reports in light of their particular business operations and industries.
The SEC has made clear that these new disclosure requirements are nonexhaustive and fundamentally designed to ensure that companies “disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes” and associated risks when making investment decisions.
Furthermore, the current reporting obligation added to Form 8-K creates an additional disclosure requirement on a relatively short timeline should a company experience a material cybersecurity incident in the future. Companies will have to balance the need for robust disclosure under the Final Rule with other factors, including limited and potentially changing information about the incident, and the need to avoid disclosing information that might provide a roadmap or other insight to threat actors.
The Final Rule becomes effective 30 days following publication of the adopting release in the Federal Register. Incident-specific disclosures under the Final Rule will be required in Forms 8-K and 6-K beginning either 90 days after the rule’s publication in the Federal Register or on December 18, 2023, whichever is later, though smaller reporting companies will have an extra 180 days before they must begin providing such disclosures.
With respect to annual disclosures on cybersecurity risk management, strategy, and governance, all public companies with fiscal years ending on or after December 15, 2023 must provide such disclosures beginning with their 2023 Form 10-K or 20-F. While the Final Rule is not effective immediately, public companies should keep in mind that the Division of Enforcement has been and continues to be focused on cybersecurity disclosures, and as such companies should ensure that they have robust disclosure controls and processes in place now to withstand any scrutiny should a breach occur.
In light of the Final Rule and the SEC’s increased focus on cybersecurity risk management generally, it is important for companies to take proactive steps now to address cybersecurity issues in anticipation of these new disclosure requirements. Specifically, public companies should consider the following:
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: