On July 26, 2023, the U.S. Securities Exchange Commission (“SEC”) adopted final rules regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The final rules require registrants to (1) report on a new Item 1.05 of Form 8-K any cybersecurity incident the registrant determines to be material, and (2) disclose in annual reports on Form 10-K the registrant’s processes for assessing, identifying, and managing material risks from cybersecurity threats, the material impacts of cybersecurity threats and previous cybersecurity incidents, as well as specific information relating to the role of the board and management in identifying and managing risks with respect to cybersecurity. The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.
SEC Chair Gary Gensler stated that he expects the new rules to benefit both companies and investors, explaining that while many companies already disclose cybersecurity-related information, both investors and companies “would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Background
Prior to the adoption of the final rules, neither Regulation S-K nor Regulation S-X explicitly required disclosure on cybersecurity. However, as cyber-related risks became more prevalent, the SEC began to take note of the lack of guidance in this area. In 2011, the SEC’s Division of Corporation Finance issued interpretative guidance providing its views on a registrant’s cybersecurity disclosure obligations, followed by additional interpretive guidance in 2018.
On March 9, 2022, the SEC issued proposed rules to formalize disclosure requirements. The final rules are largely similar to the proposed rules, with several important exceptions with respect to cybersecurity disclosures: (1) the final rules narrow the amount of information required to be disclosed on Form 8-K after commenters raised concerns that disclosing some details could exacerbate security threats; (2) the final rules eliminate a proposed Item 106(d)(2) of Regulation S-K, which would have required registrants to make disclosures in their periodic reports when a series of previously undisclosed individually immaterial cybersecurity incidents became material in the aggregate, and (3) the final rules eliminate a proposed Item 407(j) of Regulation S-K, which would have required disclosure regarding board members’ cybersecurity expertise.
Cybersecurity Incident Reporting on Form 8-K
- The final rules amend Form 8-K to add Item 1.05, requiring registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident (and not the date the registrant discovers the incident).
- Item 1.05 requires registrants to disclose: (a) a description of the material aspects of the nature, scope, and timing of the cybersecurity incident; and (b) the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. This is a less burdensome disclosure than contemplated in the proposed rules, which would have also required information regarding when the cybersecurity incident was discovered, whether it was ongoing, and whether the registrant had already remediated or was currently remediating the cybersecurity incident. The final rules also include an instruction to Item 1.05 stating that a registrant does not need to disclose specific or technical information about its planned response to the cybersecurity incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
- The final rules require a registrant to determine whether a cybersecurity incident is material “without unreasonable delay” after discovering the incident. This is a slightly more lenient standard than the “as soon as reasonably practicable standard” in the proposed rules.
- Under the final rules, “cybersecurity incident” means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. As a result, even though the final rules do not contain a requirement to disclose in periodic reports when a series of previously undisclosed individually immaterial cybersecurity incidents became material in the aggregate, a registrant will be required to file a Form 8-K if the registrant has been materially affected by a series of related cybersecurity occurrences, each of which individually may be immaterial.
- The final rules include an instruction to Item 1.05 that requires a registrant to include in the Form 8-K a statement identifying any information required by Item 1.05 that is not determined or is unavailable at the time of the required filing. In such a circumstance, the registrant must then file an amendment to the Form 8-K within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.
- Unlike the proposed rules, the final rules allow a registrant to delay making a Form 8-K filing in two limited circumstances:
- If the United States Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing of such determination, then disclosure on Form 8-K may be delayed for a time period specified by the United States Attorney General, up to 30 days (subject to extension in certain cases) following the date when the disclosure was otherwise required. The SEC noted in the adopting release for the final rules that it has established a process for the Department of Justice to also notify the affected registrant that communication to the SEC has been made so that the registrant may delay filing its Form 8-K.
- If a registrant is subject to the Federal Communications Commission rule requiring notification of breaches of customer proprietary network information (“CPNI”) to the United States Secret Service (“USSS”) and the Federal Bureau of Investigation (“FBI”) no later than seven business after reasonable determination of a CPNI breach, then disclosure on Form 8-K may be delayed up to the seven business day period following notification to the USSS and FBI with written notification to the SEC.
- The final rules provide that untimely filing of a Form 8-K under Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility.
- Item 1.05 of Form 8-K requires inline XBRL tagging, including detailed tagging of narrative disclosures.
Cybersecurity Risk Management, Strategy and Governance Disclosures in Annual Reports
- The final rules amend Form 10-K to add new Item 1C and add Item 106 of Regulation S-K, which require disclosure regarding:
- A registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. This is a slightly more flexible standard than the “policies and procedures” required to be disclosed in the proposed rules. As noted in the adopting release for the final rules, this change was made to address concerns that the proposed rules would provide too much detail and thus create security threats. The final rules provide the following non-exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
- Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition, and, if so, how.
- The board of directors’ oversight of risks from cybersecurity threats and, if applicable, the identity of any board committee or subcommittee responsible for such oversight and the processes by which the board or such committee is informed about such risks. This is a more narrow disclosure than what would have been required under the proposed rules, which would have required more information regarding how cybersecurity related to the registrant’s business strategy as well as additional information about the frequency of cybersecurity discussions at board meetings.
- In a manner that is also less detailed than what was contemplated under the proposed rules (which would have required information about the frequency of management’s cybersecurity discussions), management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. The final rules provide the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
- Item 106 of Regulation S-K requires inline XBRL tagging, including detailed tagging of narrative disclosures.
- A registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. This is a slightly more flexible standard than the “policies and procedures” required to be disclosed in the proposed rules. As noted in the adopting release for the final rules, this change was made to address concerns that the proposed rules would provide too much detail and thus create security threats. The final rules provide the following non-exclusive list of disclosure items:
Foreign Private Issuers
- The final rules amend Form 6-K to add “cybersecurity incidents” as a reporting topic per General Instruction B. As a result, foreign private issuers will be required to disclose cybersecurity incidents on Form 6-K if they disclose or are required to disclose such incidents pursuant to the law of the jurisdiction in which they are organized, with a stock exchange or to their security holders.
- The final rules amend Form 20-F to require foreign private issuers to provide cybersecurity disclosures in their annual reports in a new Item 16K that are the same type of disclosures required in Item 106 of Regulation S-K for domestic registrants.
Timing of Effectiveness of the Final Rules
- With respect to compliance with the cybersecurity incident disclosure requirements in Form 8-K Item 1.05 and Form 6-K, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication of the new rules in the Federal Register or December 18, 2023.
- Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024.
- With respect to Regulation S-K Item 106 and the corresponding requirements in Form 10-K and the comparable requirements of Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. For calendar year companies, this means that the disclosures will be required in their 2023 Form 10-K or Form 20-F filed in 2024.
- All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
Recommended Actions
Due to the ever-increasing prevalence of technology in businesses across all industries, the increase in cybersecurity incidents, and these additional disclosure obligations around cybersecurity incidents for registrants, we expect cybersecurity to continue to be an area of focus for businesses, regulators, and investors. In light of this focus, we recommend registrants and their directors and officers consider the following recommended actions:
- Registrants should evaluate their cyber incident reporting disclosure controls and procedures to ensure information is elevated to management timely and appropriate materiality determinations are made in light of the four business day requirement to file an Item 1.05 Form 8-K.
- Registrants should review and test their cybersecurity incident response plans to ensure incidents are appropriately reported throughout the organization. These plans should be regularly reviewed and tested through mock tabletop exercises to ensure a timely and adequate response. With the new disclosure requirements, it is important that testing include management to ensure the ability of the organization to meet its increased disclosure obligations in connection with cybersecurity incidents. Further, registrants should delineate the personnel/team responsible for determining whether a cybersecurity incident is material as well as their specific decision-making and documentation processes.
- Boards should still be cognizant of which directors have expertise or experience with cybersecurity and which committees or subcommittees, if any, are responsible, or should be responsible, for providing oversight with respect to cybersecurity matters and amend governance documents accordingly. Additionally, though the final SEC rules do not require disclosure of individual director expertise with cybersecurity, we expect many companies will continue to make or add this disclosure in connection with director skills matrices.
- Registrants should work to identify, if not already clear under current company policies and procedures, specifically who is responsible for monitoring risks from cybersecurity threats and understanding how these processes will now be disclosed, how cybersecurity risks are identified, and how cybersecurity incidents are discovered, mitigated, and remedied. There will be increased pressure for registrants to develop comprehensive, risk-based cybersecurity management programs to monitor the evolving risks to their companies. Such programs should include, as appropriate, completing a data map of information and systems, determining applicable cybersecurity frameworks, conducting risk assessment and pen tests, implementing reasonable security measures, having contractual protections (including to help ensure there are processes in place to oversee and identify third-party service provider risk), evaluating cyber insurance options, implementing workforce training, and conducting mock tabletop exercises, among other programs depending upon the registrant’s industry and specific cybersecurity risks.
- Registrants should determine and document the assessors, consultants, auditors, and other third parties assisting them with their cybersecurity programs, especially the third parties that will assist with incident response, including IT forensics, public relations, ransom negotiation, disaster recovery, and law firm experts.