SEC Cybersecurity Disclosure Rules: Top Takeaways and Action Items for Public Companies

10 minute read | July.31.2023

The SEC has finalized rules requiring public companies to disclose information about cybersecurity incidents, risk management, strategy and governance. This guide to help public companies comply with SEC rules covers:

How do the Final Rules Differ from the Proposal?
Key Actions to Prepare for the New Disclosures
Q&A on Cybersecurity Incident Disclosure Rules
Q&A on Cybersecurity Risk Management, Strategy and Governance Rules
Checklist: How to Comply with the New SEC Cybersecurity Disclosure Requirements
Asset Backed Issuers, Foreign Private Issuers and Inline XBRL Tagging
Learn More

How do the Final Rules Differ from the Proposal?

Key departures from the proposal include:

Changing the timing for company determination of whether an incident is material from “as soon as is reasonably practicable” to “without unreasonable delay.”
Limiting the scope of required incident disclosures to the nature, scope and timing of the incident, as well as known or likely impacts of the incident on the company.
Requiring updated incident disclosure information on an amended Form 8-K rather than in annual and quarterly reports.
Providing a limited delay for incident disclosures that could present significant risks to national security or public safety, as determined by the U.S. Attorney General.
Minimizing the proposed disclosure elements concerning risk management, strategy and governance.
Removing the proposed obligation to disclose board cybersecurity expertise and certain other specific governance disclosures.

Key Actions to Prepare for the New Disclosures

For most companies, the incident disclosure obligations will take effect as early as December 18, 2023, and the risk management, strategy and governance disclosure requirements will apply starting with annual reports for fiscal years ending on or after December 15, 2023. Consequently, most companies will have only a few months to align their internal disclosure processes with the new rules and create the necessary new disclosures.

Key actions to prepare include:

Assess existing disclosure controls and procedures for the ongoing evaluation and re-evaluation of cybersecurity incident materiality to ensure the company is prepared for timely compliance with the new incident disclosure regime.
Create a framework (or reevaluate an existing framework) for making a materiality determination in the context of cybersecurity incidents with input from counsel, persons who oversee cybersecurity and the disclosure committee.
Ensure that the appropriate members of management and other personnel are participating in the disclosure process.
Document the relevant cybersecurity expertise of the members of management or committees responsible for assessing and managing cybersecurity risks, if not already obtained.
Review controls and procedures applying to third-party cybersecurity incidents and evaluate whether contracts with third parties provide for sufficient information sharing and cooperation given the new rules.
Review and update—or start preparing new—disclosures related to the company’s risk management processes, identified risks, board oversight and management’s role in cybersecurity risk management.
Review existing disclosures on these topics (for example, proxy and sustainability reports) to ensure consistency.
Reevaluate how cybersecurity risk is being overseen by the company’s enterprise management function.
Educate the Board, persons overseeing cybersecurity and the disclosure committee regarding the impact of the new rules.

Q&A on Cybersecurity Incident Disclosure Rules

What do the new incident disclosure rules require?
How does the SEC define “cybersecurity incident” and “information system?”
Are there any exceptions to timely reporting of cybersecurity incidents?
What happens if a company fails to report a cybersecurity incident within the time limits?
When must public companies begin to comply?

What do the new incident disclosure rules require?

The rules require a company to disclose a cybersecurity incident on Form 8-K within four business days of determining it “material.”

The new rules require companies to make a materiality determination “without unreasonable delay” after discovering an incident.

The Form 8-K disclosure must address:

The material aspects of the nature, scope and timing of the incident.
The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

If any of the above required information is undetermined or unavailable at the initial filing, companies can include a statement to that effect. After the initial disclosure, companies should file a Form 8-K amendment providing any originally omitted information once such information becomes available. Additionally, there may be situations where a company would need to make correcting amendments to the original Form 8-K if that disclosure becomes inaccurate or materially misleading as a result of subsequent developments. This replaces the proposed rule’s requirement of incident updates in regular quarterly and annual reports.

How does the SEC define “cybersecurity incident” and “information system?”

The SEC provides the following definition for cybersecurity incidents, but notes that companies should construe it broadly:

“Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

Notably, this definition includes a “series of related unauthorized occurrences” to capture related cyberattacks that accumulate over time rather than occurring as isolated incidents. As a result, when a company is materially impacted by what seems to be a sequence of interconnected cyber intrusions, the incident disclosure obligations would be triggered, even if the material impact or reasonably likely material impact appears to be divided among the multiple intrusions, making each one seem immaterial on its own.

Relatedly, the SEC provided the following definition for information systems:

“Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.”

The SEC acknowledges that cybersecurity incidents involving third-party service providers are becoming more frequent, so the definition includes resources used by a company.

That means companies must disclose cybersecurity incidents involving third-party providers—and must rely on such third-party providers for information to assess whether the rules require disclosing a cybersecurity incident.

Examples of material and unauthorized cybersecurity incidents that a company may have to disclose include those that:

Damage or disable operational technology systems.
Compromise an information asset’s confidentiality or integrity.
Result in stolen sensitive information and loss or liability for the company.
Arise from a string of interconnected attacks by various actors exploiting the same vulnerability, collectively and materially hindering the company’s business.

Are there any exceptions to timely reporting of cybersecurity incidents?

There is a limited exception permitting delay if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. While the SEC indicated it has established an interagency communication process to facilitate timely communication of the Attorney General’s determination, we expect exceptions of this nature to be rare. Additionally, telecommunications carriers may delay making an initial incident disclosure for up to seven business days pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC.

Otherwise, the SEC has rejected arguments for reporting delays due to internal or external investigations, including by law enforcement. The rules allow no other delay for other federal or state law incident reporting exceptions.

Accordingly, companies should plan to provide disclosure to the extent known by the Form 8-K filing deadline. However, a company will not be expected to disclose specifics about its planned response to an incident, its cybersecurity systems in such detail as would impede the company’s response or remediation of the incident or information that has been classified by the Federal government for the protection of the interest of national defense or foreign policy.

What happens if a company fails to report a cybersecurity incident within the time limits?

Such failure to timely file will not impact a company’s Form S-3 eligibility. However, the disclosure must still be made before filing a Form S-3. Further, no failure to file a cybersecurity incident Form 8-K will be deemed a violation of Section 10(b) of the Securities Exchange Act of 1934 or Rule 10b-5 thereunder.

When must public companies begin to comply?

For the incident disclosure requirements on Form 8-K, all registrants, except smaller reporting companies, must start complying on either December 18, 2023, or 90 days after the rules are posted to the Federal Register, whichever is later. Smaller reporting companies must start complying on either June 15, 2024, or 270 days after the rules are posted to the Federal Register, whichever is later.

Q&A on Cybersecurity Risk Management, Strategy and Governance Rules

What do the new annual disclosure rules require?
What disclosure does the SEC expect?
When must public companies begin to comply?

What do the new annual disclosure rules require?

They require companies to disclose in a new Item 1C on Form 10-K:

Processes, if any, to assess, identify and manage material risks from cybersecurity threats.
If any cybersecurity risks have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition.
Board oversight of risks from cybersecurity threats.
Management’s role and expertise in assessing and managing material risks from cybersecurity threats.

What disclosure does the SEC expect?

Risk Management Processes
Companies must disclose practices to identify and manage cybersecurity threat risks, including whether they:
- Have integrated such processes into their overall risk management system.
- Engage assessors, consultants, auditors or other third parties in connection with any such processes.
- Address risks associated with the use of any third-party service providers.
Given this new disclosure requirement, companies may want to reassess their current practices against best and peer practices and make any necessary enhancements.
Risk Identification
Companies must describe whether any cybersecurity risks have, or are likely to, materially affect the company, including its business strategy, results of operations or financial condition, and if so, explain how.

Companies should ensure consistency between any such disclosures and the corresponding risk factor disclosures. Alternatively, if the corresponding risk factor disclosures address these requirements, the company could incorporate them by reference.
Board Oversight
Companies must describe:
- Any board committee or subcommittee that oversees cybersecurity related risks.
- How the board learns of such risks.
Notably, in a departure from the proposal, the final rules do not mandate the identification of whether any board member possesses cybersecurity expertise. However, if a company deems board-level expertise to be critical for their cybersecurity risk management, such disclosure could be included in connection with the risk management processes and board oversight disclosures. In addition, the rule also does not specifically require disclosure of the frequency of board review (though the SEC notes that disclosure of the board process for learning about cybersecurity risks may often contain this information) or of the role of cybersecurity in the board’s oversight of business strategy, risk management, and financial oversight.
Management’s Role
Companies must disclose whether certain managers or committees assess and manage material cybersecurity risks, including:
- Their relevant expertise, including consideration of:
  - Prior cybersecurity work experience.
  - A relevant certification or degree.
  - Knowledge, skills or other background in cybersecurity.
- How they learn about cybersecurity incidents.
- If they report information about such risks to the board, or a board committee or subcommittee.

In a departure from the proposal, the rule does not specifically require disclosure about whether the company has a chief information security officer, though the SEC noted that this information will often be encompassed in the more general disclosure.

Companies may already disclose information about board oversight of and management’s role in assessing and managing cybersecurity risk in annual meeting proxy statements as well in their sustainability reports, but the new rules require companies to share that information on Form 10-K, too. The rules also request more information than most companies have disclosed before. In any case, companies should ensure consistency between the description of the board’s leadership structure and risk oversight administration typically included in proxy statements, as well as in sustainability reports and the new disclosures now required in Form 10-K.

When must public companies begin to comply?

For the risk management, strategy and governance disclosure requirements in annual reports, all registrants, including smaller reporting companies, must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.

Checklist: How to Comply with the New SEC Cybersecurity Disclosure Requirements

Consult our checklist for everything you need to know about the new disclosure obligations, including where and when to provide the required discloses.

Asset Backed Issuers, Foreign Private Issuers and Inline XBRL Tagging

The rules:

Exempt asset-backed issuers from compliance.
Require foreign private issuers to provide analogous disclosure in Form 6-K and Form 20-F.
Require companies to tag all of the new cybersecurity disclosures in Inline XBRL starting one year after initial compliance with the related disclosure requirements.

Learn More

SEC news release
SEC fact sheet
SEC final rule

Related SEC guidance from 2011 and 2018 remains in place.

* * *

We will continue to monitor developments under these new requirements. If you have any questions regarding these new rules, please contact one of the listed authors of this article or your regular Orrick contact.

Authors

Bobby Bee Practice Support Counsel, Capital Markets

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Capital Markets

vCard

See full bio

Bobby Bee Practice Support Counsel

New York

Prior to joining Orrick, he was with Lowenstein Sandler LLP from 2015 to 2022, with a practice focusing on public company governance matters and securities law compliance, including reporting and disclosure obligations under the Securities Exchange Act of 1934. He also advised companies regarding capital markets transactions including IPOs, SPACs, follow-on offerings, shelf registrations, and private placements.

Prior to Lowenstein Sandler LLP, Bobby’s experience included positions as a tax senior for Deloitte Tax LLP and a financial statement audit senior for Deloitte & Touche.

Carolyn Frantz Senior Counsel

Seattle

See my bio

Practice:

vCard

See full bio

Carolyn Frantz Senior Counsel

Seattle

A former Rhodes Scholar, Carolyn clerked for Supreme Court Justice Sandra Day O’Connor and D.C. Circuit Court of Appeals Judge David S. Tatel, before teaching at the University of Chicago Law School. She was a litigation partner at a major law firm for eight years before joining Microsoft, where she managed the company’s worldwide tax litigation until her appointment as Corporate Secretary.

As Microsoft’s Corporate Secretary, Carolyn had the opportunity to work closely with the company’s Board of Directors and senior leadership, gaining a first-hand understanding of the opportunities and challenges facing technology companies in a dynamic competitive and regulatory environment. As the head of the Corporate Legal Group, Carolyn was responsible for legal issues regarding securities law and disclosures, treasury and finance, international trade, procurement, real estate, and many other issues. Building on her extensive litigation experience, which includes managing tax disputes domestically and abroad, as well as litigating multidistrict products liability, consumer cases, and commercial contract disputes, Carolyn understands the practical challenges companies face and how those intersect with Board reporting, securities disclosures, and internal accountability. She also brings her understanding of board governance, corporate law, and ESG to select litigation matters.

Carolyn is also frequently called on to serve as a resource to new legal leaders in their roles supporting and interacting with their Boards.

J. T. Ho Partner, Corporate Governance, Capital Markets

San Francisco

See my bio

D:+1 415 773 5624
E: [email protected]

Practice:

Corporate Governance
Capital Markets
Compensation & Benefits
Environmental, Social & Corporate Governance (ESG)

vCard

See full bio

J. T. Ho Partner

San Francisco

J.T. counsels companies on Board and committee oversight, assessment and composition issues, developing effective shareholder engagement programs and governance-related disclosures, and helps companies to understand and consider the views of proxy advisors and institutional shareholders and other long-term stakeholders in their decision making. Recently, he has helped many companies successfully address ESG related shareholder proposals and activism campaigns and refine their disclosure controls and procedures and enterprise risk management programs to address cybersecurity and climate risk.

On the securities front, he focuses on advising clients in connection with securities offerings, proxy statements, periodic SEC reports, stock exchange listing obligations, stock repurchases and the sale and reporting of securities by insiders. He regularly counsels companies on difficult disclosure issues and provides training on disclosure best practices.

J.T. also advises on compensation committee matters and related disclosures as well as the design of cash and equity incentive plans, and has helped over a dozen companies remediate failed or low "say on pay" votes.

J.T. plays a leading role in Orrick’s ESG practice, helping companies identify and understand the risks and opportunities associated with ESG and incorporating ESG into a company’s overall business strategy and incentive plans. More recently, he has helped companies navigate the growing anti-ESG movement.

J.T. serves on the advisory board of The Corporate Counsel and hosts J.T.'s Fast Five, a monthly podcast on The Corporate Counsel where J.T. covers the five things public companies ought know each month. J.T. Ho also regularly presents on and contributes articles related to corporate governance, securities, executive compensation and ESG. He has presented at notable conferences sponsored by The Corporate Counsel, the Securities Regulation Institute, The Rock Center for Corporate Governance, the Society for Corporate Governance, the ABA, the Practical Law Institute, Compensation Standards, Practical ESG and NASPP. He is recognized as a Next Generation Partner by Legal 500, as one of the Ones to Watch® Best Lawyers in America, and was named a Rising Star by Super Lawyers in 2018, 2019, 2020, 2021 and 2022.

Bill Hughes Partner, Capital Markets, Technology Companies Group

San Francisco; Silicon Valley

See my bio

D:+1 415 773 5720
E: [email protected]

Practice:

Capital Markets
Technology Companies Group
Special Purpose Acquisition Companies (SPACs)

vCard

See full bio

Bill Hughes Partner

San Francisco; Silicon Valley

Bill counsels public and late-stage private companies on general corporate and transactional matters, including advising on initial public offerings, follow-on equity offerings, direct listings, investment grade debt offerings and convertible debt offerings. He also regularly advises companies on disclosure and reporting obligations under U.S. federal securities laws, corporate governance issues and stock exchange listing obligations.

Additionally, Bill advises founders and companies in connection with public listings through SPAC merger. Among other engagements, Bill represented Getaround, Inc., a connected carsharing marketplace, Clover Health Investments, Corp., a next-generation Medicare Advantage insurer, and the founders of DraftKings Inc., a digital sports entertainment and gaming company, in the respective de-SPAC transactions of those entities.

Chambers USA has ranked Bill for his expertise in Capital Markets Debt & Equity and noted that "He's a great lawyer, really technically sound."

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

SEC Cybersecurity Disclosure Rules: Top Takeaways and Action Items for Public Companies

How do the Final Rules Differ from the Proposal?

Key Actions to Prepare for the New Disclosures

Q&A on Cybersecurity Incident Disclosure Rules

What do the new incident disclosure rules require?

How does the SEC define “cybersecurity incident” and “information system?”

Are there any exceptions to timely reporting of cybersecurity incidents?

What happens if a company fails to report a cybersecurity incident within the time limits?

When must public companies begin to comply?

Q&A on Cybersecurity Risk Management, Strategy and Governance Rules

What do the new annual disclosure rules require?

What disclosure does the SEC expect?

When must public companies begin to comply?

Checklist: How to Comply with the New SEC Cybersecurity Disclosure Requirements

Asset Backed Issuers, Foreign Private Issuers and Inline XBRL Tagging

Learn More

Also of Interest

The SEC’s Proposed Cybersecurity Disclosure Requirements: What...

The SEC’s Proposed New Cybersecurity Disclosure Requirements: ABS...

The SEC's Proposed New Cybersecurity Disclosure Requirements for...