SEC Finalizes Cybersecurity Disclosure Rules for Public Companies

On July 26, 2023, the Securities and Exchange Commission (“SEC”), voted 3-2 to adopt rules requiring public companies to make certain public disclosures regarding material cybersecurity incidents (the “Final Rule”).¹ The Final Rule is largely similar to the rules proposed by the SEC in March 2022 (the “Proposed Rule”),² though there are several important changes, as described below. Once effective, the Final Rule will significantly expand public companies’ disclosure obligations beyond the SEC’s current prevailing guidance, requiring public companies to disclose cybersecurity incidents they deem to be material and information relating to cybersecurity oversight.

The Final Rule applies to public companies, including smaller reporting companies, foreign private issuers, and business development companies. It does not apply to investment companies registered under the Investment Company Act of 1940.

This Dechert OnPoint summarizes the main new disclosure obligations under the Final Rule, changes made to the Proposed Rule, and key takeaways for public companies.

Background

On October 13, 2011, the SEC’s Division of Corporation Finance issued interpretive guidance to help public companies assess their disclosure obligations related to cybersecurity risks and incidents.³ In early 2018, the SEC issued additional interpretive guidance that urged public companies to take all required actions to inform investors about material cybersecurity risks and incidents in a timely manner.⁴ This guidance is supplemented and not replaced by the Final Rule.

On March 9, 2022, the SEC voted 3-1 in favor of issuing the Proposed Rule, proposing new and amended rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”).

Summary of New Disclosure Requirements

The SEC in the Adopting Release provides a tabular summary of the Final Rule’s new disclosure requirements:⁵

Key Definitions

In new Regulation S-K Item 106(a), the SEC adopted definitions for “cybersecurity incident,” “cybersecurity threat,” and “information systems,” terms that flow throughout the Final Rule:

Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes⁶ the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.

Cybersecurity threat means any potential unauthorized occurrence on or conducted through a company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.

Information systems means electronic information resources, owned or used by the company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the company’s information to maintain or support the company’s operations.

The SEC points out that it added the phrase “or a series of related unauthorized occurrences” to the defined term “cybersecurity incident.” This reflects the SEC’s guidance that a series of related occurrences may collectively have a material impact or reasonably likely material impact and therefore trigger a disclosure requirement pursuant to Form 8-K Item 1.05, even if each individual occurrence on its own would not rise to the level of materiality.⁷

Public Companies Must Report Material Cybersecurity Incidents on Form 8-K

When Reporting Is Required

New Form 8-K Item 1.05 will require companies to disclose the material aspects of the nature, scope, and timing of a cybersecurity incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations. The Final Rule’s inclusion of “financial condition and results of operations” is not exclusive; the SEC recommends companies consider qualitative factors alongside quantitative factors in assessing the material impact of an incident.⁸ These qualitative factors may include, but are not limited to, harm to a company’s reputation or vendor relationships along with the possibility of litigation or regulatory investigations. The SEC declined to identify a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.

In response to comments received on the Proposed Rule concerning the scope of required disclosures, the SEC says it streamlined Item 1.05 to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on details regarding the incident itself. To that end, the Final Rule emphasizes disclosure concerning the materiality of the cybersecurity incident’s impact on the company’s financial and operating condition.⁹

Timing

Companies must determine the materiality of an incident “without unreasonable delay” following discovery and, if the incident is determined material, the company must file a Form 8-K, within four business days of such determination. Whether a cybersecurity incident is “material” will be determined by the standard applicable to other securities laws: information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or it would have “significantly altered the ‘total mix’ of information made available.”¹⁰

Disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through exemptive orders.

Requirements for Foreign Private Issuers

For foreign private issuers, the Final Rule adds “material cybersecurity incidents” to the items that may trigger a current report on Form 6-K. Foreign private issuers will be required to furnish on Form 6-K information about material cybersecurity incidents that the issuer discloses or otherwise publicizes in a foreign jurisdiction, to any stock exchange or to security holders.

Companies Will Need to Amend Their Form 8-K Reports to Provide Previously Unavailable Information, but Will Not Be Required to Disclose Material Changes, Additions or Updates on Form 10-Q and 10-K

Companies must amend a prior Form 8-K Item 1.05 disclosure to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing; however, there is no formal requirement to provide updated information regarding a previously reported incident. Companies will still have a duty to correct prior disclosure which was untrue when made and a duty to update disclosure that becomes materially inaccurate after it was made.¹¹

For context, the SEC’s Proposed Rule would have required public companies to disclose any material changes, additions, or updates to information required to be disclosed under the new Form 8-K Item 1.05 in subsequent Form 10-Q or 10-K filings. The Final Rule adopted by the SEC does not include this proposed requirement, reasoning that amendments to Form 8-K, rather than periodic reports, allow investors to more quickly identify updates regarding incidents that were previously disclosed.

Companies Must Disclose Information on Cyber Governance and Oversight in Their Annual Reports

The Final Rule also requires enhanced and standardized disclosure of companies’ cybersecurity risk management, strategy, and governance in annual reports.

Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats

New Regulation S-K Item 106(b) will require companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. The enumerated elements that a company would need to address in its Item 106(b) disclosure, as applicable, are:

• Whether and how such processes have been integrated into the company’s overall risk management system or processes;
• Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
• Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

Cybersecurity Threats that Have, or Are Reasonably Likely to, Materially Impact a Company

New Regulation S-K Item 106(b)(2) requires companies to describe “[w]hether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and if so, how.”¹²

Board Oversight

New Regulation S-K Item 106(c) will require companies to describe the board of directors’ oversight of risks from cybersecurity threats, identify any board committee or subcommittee responsible for such oversight, and describe the processes by which the board or such committee is informed about such risks. Companies should consider disclosing, as applicable, the following as part of a description of management’s role in assessing and managing the company’s material risks from cybersecurity threats:

• Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Related Requirements for Foreign Private Issuers

The Final Rule amends Form 20-F to include requirements parallel to Item 106 regarding a foreign private issuer’s risk management, strategy, and governance.

No Prescribed Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

The Proposed Rule would have amended Regulation S-K Item 407 to require disclosure in annual reports and certain proxy filings of cybersecurity expertise among members of the board of directors of a public company. The SEC did not adopt this proposed amendment, agreeing with commenters that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.¹³

S-3 Eligibility and Liability Exception

The untimely filing of a Form 8-K Item 1.05 will not result in the loss of Form S-3 eligibility, pursuant to the amended instructions of Form S-3.  

Form 8-K must be filed, not furnished. However, a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act will apply to Item 1.05 disclosures.

Effectiveness

The Final Rule is effective on September 5, 2023.

• Disclosures on Forms 10-K and 20-F will be required beginning with annual reports for fiscal years ending on or after December 15, 2023.
• Disclosures on Forms 8-K and 6-K will be required beginning December 18, 2023. Smaller reporting companies must begin providing Form 8-K disclosures starting June 15, 2024.

All public companies must begin tagging the new annual report disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024, and begin tagging the new Form 8–K and Form 6–K disclosure in Inline XBRL beginning on December 18, 2024.

Practical Implications

• The Four-Business-Day Reporting Requirement Demands Advance Preparation. This new reporting requirement likely will impose an increased burden on companies during what likely is a crisis situation. Advance preparation and established procedures may be vital to ensure counsel receives the information necessary to assess disclosure obligations. Note that the disclosure deadline is four business days from when the determination of materiality is made, not from the moment a company determines there is a breach. This is an important distinction as often with cybersecurity events, the facts as they appear at the start of an event are wholly different once a forensic review is underway.
• Review Policies to Delineate Responsibilities for Management, Assessment, and Oversight. Companies will want to review their policies and education of officers, directors, and information security personnel to educate them on the new requirements. Specifically, companies likely will want to review, and if necessary, update their incident-response plans in light of the Final Rule to include a process for discussion of materiality with counsel and for escalation of that decision.
• Review Governance and Oversight Structure. Companies will want to evaluate their existing cybersecurity risk oversight structures at the board and management level and consider whether any improvements are needed, such as: delegating tasks to a dedicated board committee; scheduling additional cybersecurity updates on board agendas and/or increasing the amount of time spent addressing cybersecurity; and strengthening processes for timely communications between management and board members.  Information security professionals are well advised to include counsel incident response early on, and the Final Rule makes this step even more important, as the “materiality” decision and whether to disclose likely will be determined in consultation with counsel after careful analysis.
• Public Companies May Expect an Increased Likelihood of SEC Action and/or Private Litigation. Given the malleable definition of “material,” public companies may expect heightened SEC scrutiny regarding when and how a company determines that it did or did not experience a material “cybersecurity incident.” Public companies may also expect an increased likelihood of investigations, fraud allegations, and litigation regarding management’s level of expertise, insider trading, and the status of a company’s cyber policies. Companies would do well to be prepared to be second-guessed on these materiality calls, which often are happening in real time under extreme pressure. Having a set process in place and a good record of what information was known and considered by the company at what time—of course, all under attorney-client privilege—will become increasingly important.
• Expanded Disclosure Obligations Leads to Increased Compliance Costs for Information Security and Cybersecurity incidents. The Final Rule adds another layer of disclosure requirements on top of existing federal and state disclosure obligations. As such, compliance costs will likely increase. In a live incident, the obligations the company must shoulder in very early days is expanded. An unfortunate consequence is that while information security professionals within a company are in the throes of fending off a threat actor, they will have added burdens in the form of likely conversations on the issue of materiality.