[Note: This article has been updated to reflect the updated compliance dates upon publication of the final rules in the Federal Register.]
On July 26, the U.S. Securities and Exchange Commission adopted rules to enhance and standardize public company disclosure of cybersecurity incidents, risk management, strategy and governance.
In particular, the rules, which were proposed on March 9, 2022 (see alert), will require current reporting on Form 8-K of material cybersecurity incidents within four days of determining materiality, as well as annual disclosures about a company’s processes to assess, identify and manage material risks from cybersecurity threats; management’s role in assessing and managing material risks from such threats; and the board’s role in providing oversight of such material risks. The key provisions of the rules are summarized in this alert.
Background and Overview
The rules are in response to inconsistencies and underreporting that the SEC says it has observed with respect to material cybersecurity incidents and threats. In addition to these rules, the SEC’s previous interpretive guidance regarding disclosure obligations of cybersecurity risks in CF Disclosure Guidance: Topic No. 2 – Cybersecurity from 2011 and Commission Statement and Guidance on Public Company Cybersecurity Disclosures from 2018 will continue to apply.
Under the rules, a cybersecurity incident is “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a [company]’s information systems or any information residing therein.” A cybersecurity threat is “any potential unauthorized occurrence on or conducted through a [company]’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a [company]’s information systems or any information residing therein.”
In summary, the rules:
- Amend Form 8-K to require a company to disclose a material cybersecurity incident within four days of determining materiality, including a description of the material aspects of the incident’s nature, scope and timing, and the material impact or reasonably likely material impact on the company, including its financial condition or results of operations.
- Add new Item 106 to Regulation S-K, which will require a company to describe in its annual report on Form 10-K:
- Its processes for the assessment, identification and management of material risks from cybersecurity threats and whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect business strategy, results of operations or financial conditions; and
- The board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from such threats.
Prompt Investigations and Disclosures of Material Cybersecurity Incidents
We believe the most notable requirement of the rules is that companies must disclose material cybersecurity incidents in a Form 8-K within four days of determining the incident’s materiality. Because the materiality of a cybersecurity incident is often not immediately apparent at the time of discovery, this requirement gives companies some amount of time to conduct an investigation into the impact of an incident. This time to investigate is not indefinite, though; an instruction to the new Item 1.05 of Form 8-K requires a company to make its materiality determination “without unreasonable delay following discovery of the incident.” The SEC noted in the adopting release that this requirement “necessitates an informed and deliberative process.”
In assessing the materiality of the cybersecurity incident, companies must consider qualitative and quantitative factors. Factors noted in the SEC’s adopting release include “harm to a company’s reputation, customer or vendor relationships, or competitiveness” and “the possibility of litigation or regulatory investigations or actions.”
The rules do not provide any exception from the 8-K disclosure requirements for cybersecurity incidents on third-party systems used by a company to the extent the company is aware of the incident, but the adopting release does state that the final rules generally do not require companies to “conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with [the company’s] disclosure controls and procedures.”
Limited Exceptions Permit Disclosure Delay
Like other data breach notification laws, the rules allow companies to delay disclosure in some limited instances. A company may delay an 8-K filing up to 30 days when the U.S. Attorney General notifies the SEC in writing that disclosure would pose a substantial risk to national security or public safety. This delay may be extended an initial additional 30 days, and another 60 days, if the Attorney General informs the SEC in writing that disclosure would continue to pose a threat. Separately, a company that is subject to the Federal Communications Commission’s requirement to notify the FBI and Secret Service of a breach of customer proprietary network information may delay its 8-K filing up to seven business days after notifying the FBI and Secret Service. Finally, classified information may be omitted from the 8-K disclosure.
No Impact on S-3 Eligibility or Section 10(b) or Rule 10b-5 Safe Harbors for Failure to Timely File
The final rules amend Form S-3 so that failure to timely file a Form 8-K for Item 1.05 would not disqualify a company from Form S-3 eligibility. Similarly, Rules 13a-11 and 15d-11 of the Securities Exchange Act of 1934 (the Exchange Act) are amended so that failure to file a Form 8-K for Item 1.05 would be included in the list of Form 8-K items that are eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 of the Exchange Act.
New Regulation S-K Item 106
The rules add a new Item 106 to Regulation S-K, and Form 10-K has been amended to require the inclusion of this Item. Item 106(a) provides definitions for “cybersecurity incident,” “cybersecurity threat” and “information systems.”
Item 106(b) will require a company to describe its processes, if any, for assessing, identifying and managing material risks from cybersecurity threats. The description must give sufficient detail for a reasonable investor to understand the processes and should address, as applicable, the following non-exclusive items:
- Whether and how the processes have been integrated into the company’s overall risk management system or processes;
- Whether the company engages assessors, consultants, auditors or other third parties in connection with such processes; and
- Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers.
A company must further describe whether any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition.
Item 106(c) will require a company to describe the board of directors’ oversight of risks from cybersecurity threats, including the identification of any board committee or subcommittee responsible for oversight of risks from cybersecurity threats and the processes by which the board or a board committee is informed of such risks. These disclosures must also describe management’s role in assessing and managing the company’s material risks from cybersecurity threats, including:
- Whether and which management positions or committees are responsible for measuring and managing cybersecurity risks and the “relevant expertise” of such persons or members;
- The processes by which these persons or committees are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents; and
- Whether these persons or committees report to the board of directors or a committee or subcommittee of the board of directors on such risks.
“Relevant expertise” for purposes of management’s disclosure may include, for example, prior cybersecurity work experience, relevant degrees or certifications, and any knowledge, skills or other cybersecurity background. The proposed rules’ requirement regarding board cyber expert disclosure was not included in the final rules.
Foreign Private Issuers
The SEC amends Form 20-F to provide for similar reporting as discussed above for foreign private issuers by adding Item 16K. General Instruction B of Form 6-K is also amended to make cybersecurity incidents one of the items that would trigger reporting on the form.
Effective and Compliance Dates
The rules become effective on September 5, 2023.
Form 8-K Compliance Dates
For the incident disclosure requirements in new Item 1.05 of Form 8-K, companies (except for smaller reporting companies (SRCs)) must comply starting on December 18, 2023. SRCs must start complying on June 15, 2024.
Regulation S-K Item 106 Compliance Date
Companies must comply with the disclosure requirements of Item 106 of Regulation S-K beginning with their annual reports for fiscal years ending on or after December 15, 2023. Accordingly, calendar year-end companies must comply beginning with their next Form 10-K.
Inline XBRL Compliance Dates
The rules provide for the required disclosure to be presented in the Inline eXtensible Business Reporting Language (Inline XBRL) format. For Item 106, companies must start Inline XBRL tagging beginning with their annual reports for fiscal years on or after December 15, 2024. For Item 1.05 of Form 8-K and Form 6-K, companies must begin Inline XBRL tagging beginning on December 18, 2024.
Key Considerations and Takeaways
As public companies prepare to comply with the new rules, they should consider the following:
- Review and update their information security program to ensure it documents processes for identifying and mitigating cybersecurity risk, including its processes for assessing risks posed by third-party vendors.
- Examine their reporting and governance processes, including their cybersecurity incident response plans, to ensure that they can promptly make a determination regarding whether a cybersecurity incident—or a series of cybersecurity incidents—is material and requires reporting under the new rules.
- Make sure their boards clearly delineate oversight responsibilities for cybersecurity-related matters, including by updating committee charters with specific coverage where necessary.
- Ensure that boards of directors or appropriate board committees receive regular updates from management regarding cybersecurity matters, including areas of risk, areas of focus, business systems readiness, cybersecurity incidents and remediation, as well as the disclosure controls and procedures applicable to disclosures of these matters.
- Work with experienced counsel to understand and prepare the appropriate descriptions of cybersecurity-related processes and oversight to be included in annual reports (and establish processes for updating those descriptions as they evolve).
The rules come less than a month after disclosure of the SEC’s issuance of Wells notices to executives and former executives of SolarWinds, in response to its handling of the massive 2020 data breach tied to the company. The rules and these notices—which alert a recipient that the SEC intends to bring enforcement action or other charges—reflect the SEC’s increased attention on the actions taken by public company personnel in both managing cybersecurity threats and responding to cybersecurity incidents.