10 minute read | July.31.2023
The SEC has finalized rules requiring public companies to disclose information about cybersecurity incidents, risk management, strategy and governance. This guide to help public companies comply with SEC rules covers:
How do the Final Rules Differ from the Proposal?
Key Actions to Prepare for the New Disclosures
Q&A on Cybersecurity Incident Disclosure Rules
Q&A on Cybersecurity Risk Management, Strategy and Governance Rules
Checklist: How to Comply with the New SEC Cybersecurity Disclosure Requirements
Asset Backed Issuers, Foreign Private Issuers and Inline XBRL Tagging
Key departures from the proposal include:
For most companies, the incident disclosure obligations will take effect as early as December 18, 2023, and the risk management, strategy and governance disclosure requirements will apply starting with annual reports for fiscal years ending on or after December 15, 2023. Consequently, most companies will have only a few months to align their internal disclosure processes with the new rules and create the necessary new disclosures.
Key actions to prepare include:
What do the new incident disclosure rules require?
How does the SEC define “cybersecurity incident” and “information system?”
Are there any exceptions to timely reporting of cybersecurity incidents?
What happens if a company fails to report a cybersecurity incident within the time limits?
When must public companies begin to comply?
The rules require a company to disclose a cybersecurity incident on Form 8-K within four business days of determining it “material.”
The new rules require companies to make a materiality determination “without unreasonable delay” after discovering an incident.
The Form 8-K disclosure must address:
If any of the above required information is undetermined or unavailable at the initial filing, companies can include a statement to that effect. After the initial disclosure, companies should file a Form 8-K amendment providing any originally omitted information once such information becomes available. Additionally, there may be situations where a company would need to make correcting amendments to the original Form 8-K if that disclosure becomes inaccurate or materially misleading as a result of subsequent developments. This replaces the proposed rule’s requirement of incident updates in regular quarterly and annual reports.
The SEC provides the following definition for cybersecurity incidents, but notes that companies should construe it broadly:
Notably, this definition includes a “series of related unauthorized occurrences” to capture related cyberattacks that accumulate over time rather than occurring as isolated incidents. As a result, when a company is materially impacted by what seems to be a sequence of interconnected cyber intrusions, the incident disclosure obligations would be triggered, even if the material impact or reasonably likely material impact appears to be divided among the multiple intrusions, making each one seem immaterial on its own.
Relatedly, the SEC provided the following definition for information systems:
The SEC acknowledges that cybersecurity incidents involving third-party service providers are becoming more frequent, so the definition includes resources used by a company.
That means companies must disclose cybersecurity incidents involving third-party providers—and must rely on such third-party providers for information to assess whether the rules require disclosing a cybersecurity incident.
Examples of material and unauthorized cybersecurity incidents that a company may have to disclose include those that:
There is a limited exception permitting delay if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. While the SEC indicated it has established an interagency communication process to facilitate timely communication of the Attorney General’s determination, we expect exceptions of this nature to be rare. Additionally, telecommunications carriers may delay making an initial incident disclosure for up to seven business days pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC.
Otherwise, the SEC has rejected arguments for reporting delays due to internal or external investigations, including by law enforcement. The rules allow no other delay for other federal or state law incident reporting exceptions.
Accordingly, companies should plan to provide disclosure to the extent known by the Form 8-K filing deadline. However, a company will not be expected to disclose specifics about its planned response to an incident, its cybersecurity systems in such detail as would impede the company’s response or remediation of the incident or information that has been classified by the Federal government for the protection of the interest of national defense or foreign policy.
Such failure to timely file will not impact a company’s Form S-3 eligibility. However, the disclosure must still be made before filing a Form S-3. Further, no failure to file a cybersecurity incident Form 8-K will be deemed a violation of Section 10(b) of the Securities Exchange Act of 1934 or Rule 10b-5 thereunder.
For the incident disclosure requirements on Form 8-K, all registrants, except smaller reporting companies, must start complying on either December 18, 2023, or 90 days after the rules are posted to the Federal Register, whichever is later. Smaller reporting companies must start complying on either June 15, 2024, or 270 days after the rules are posted to the Federal Register, whichever is later.
They require companies to disclose in a new Item 1C on Form 10-K:
Companies must disclose practices to identify and manage cybersecurity threat risks, including whether they:
Given this new disclosure requirement, companies may want to reassess their current practices against best and peer practices and make any necessary enhancements.
Companies must describe whether any cybersecurity risks have, or are likely to, materially affect the company, including its business strategy, results of operations or financial condition, and if so, explain how.
Companies should ensure consistency between any such disclosures and the corresponding risk factor disclosures. Alternatively, if the corresponding risk factor disclosures address these requirements, the company could incorporate them by reference.
Companies must describe:
Notably, in a departure from the proposal, the final rules do not mandate the identification of whether any board member possesses cybersecurity expertise. However, if a company deems board-level expertise to be critical for their cybersecurity risk management, such disclosure could be included in connection with the risk management processes and board oversight disclosures. In addition, the rule also does not specifically require disclosure of the frequency of board review (though the SEC notes that disclosure of the board process for learning about cybersecurity risks may often contain this information) or of the role of cybersecurity in the board’s oversight of business strategy, risk management, and financial oversight.
Companies must disclose whether certain managers or committees assess and manage material cybersecurity risks, including:
In a departure from the proposal, the rule does not specifically require disclosure about whether the company has a chief information security officer, though the SEC noted that this information will often be encompassed in the more general disclosure.
Companies may already disclose information about board oversight of and management’s role in assessing and managing cybersecurity risk in annual meeting proxy statements as well in their sustainability reports, but the new rules require companies to share that information on Form 10-K, too. The rules also request more information than most companies have disclosed before. In any case, companies should ensure consistency between the description of the board’s leadership structure and risk oversight administration typically included in proxy statements, as well as in sustainability reports and the new disclosures now required in Form 10-K.
For the risk management, strategy and governance disclosure requirements in annual reports, all registrants, including smaller reporting companies, must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
Consult our checklist for everything you need to know about the new disclosure obligations, including where and when to provide the required discloses.
* * *
We will continue to monitor developments under these new requirements. If you have any questions regarding these new rules, please contact one of the listed authors of this article or your regular Orrick contact.