SEC Adopts Cybersecurity Disclosure Rules

SEC Adopts Cybersecurity Disclosure Rules

July 27, 2023, Covington Alert

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted rules that will require U.S. public companies and, in certain instances, foreign private issuers to report their material cybersecurity incidents on Form 8-K and Form 6-K, as applicable, and to provide disclosure in periodic reports about their cybersecurity risk management and governance. Although the final rules are scaled back somewhat from the SEC’s initial proposal, they nevertheless represent a significant expansion in the reporting obligations regarding cybersecurity incidents and transparency around public companies’ cybersecurity risk management policies and procedures and the oversight role of management and boards of directors in managing companies’ cybersecurity risk.

The SEC’s brisk implementation timeline provides that the Form 8-K reporting requirements begin on the later of 90 days after the date of publication of the rules in the Federal Register or December 18, 2023, and the new periodic disclosures will be required in annual reports for fiscal years ending on or after December 15, 2023. Consequences for foreign private issuers are discussed under “Other Items” below.

Reporting of Material Cybersecurity Incidents

The rules add new Item 1.05 to Form 8-K, requiring a company to file a Form 8-K within four business days after it determines that it has experienced a material cybersecurity incident. The report must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact[1] on the company, including its financial condition and results of operations. In a departure from the SEC’s original proposal, companies are not specifically required to disclose the incident’s remediation status, whether it is ongoing, or whether data were compromised.[2]

Definition of Cybersecurity Incident

The rules define a “cybersecurity incident” as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Because the rules define the term “information systems” to mean information resources owned or used by the company, a Form 8-K could be triggered not only by an incident involving the company’s own systems, but also by an incident involving the systems of a third-party service provider (e.g., a cloud service provider). This definition applies to both new Item 1.05 of Form 8-K and the new periodic reporting requirements discussed below.

The adopting release emphasizes that the term “cybersecurity incident” extends to a series of related unauthorized occurrences, which means that Item 1.05 may be triggered even if individually, each related incident would not be considered material.

Third-Party Service Providers

Under the rules, companies will need to able to assess whether a cybersecurity incident at a third-party service provider will have a material impact on the company and thereby trigger a Form 8-K filing. As a practical matter, this may require companies to enhance their policies and procedures or to consider adding additional provisions to agreements with third-party providers to ensure appropriate oversight of their third-party risk management programs, including reporting mechanisms for cybersecurity incidents. The SEC considered, but declined to adopt, a safe harbor for information disclosed about third-party systems. The adopting release notes, however, that companies should determine whether to disclose a cybersecurity incident based on the information available to them, and the rules do not require companies to conduct additional inquiries outside of their regular channels of communication with third-party service providers and in accordance with companies’ disclosure controls and procedures.

Limited Exceptions to Disclosure Obligation

Companies dealing with a cybersecurity incident typically evaluate many factors when considering disclosure of an incident, such as whether disclosure would impede the ability to contain and remediate the incident. Instruction 4 to Item 1.05 clarifies that companies need not disclose specific or technical information about their planned responses to incidents in such detail as would impede their response or remediation of the incident.

In another change from the SEC’s original proposal, the rules permit a 30-day delay in reporting a material cybersecurity incident if the U.S. Attorney General notifies the SEC in writing that disclosure would pose a substantial risk to national security or public safety. The Attorney General can request two additional 30- and 60-day delays, but any subsequent extensions would be in the SEC’s sole discretion. Thus, apart from this very limited exception[3], once a company determines that an incident is material, the rules do not permit a delay in reporting the incident, even where the company has not completed its remediation or might otherwise benefit from further progress on internal or external investigations, including by law enforcement.

Amendments Required to Update Prior Cybersecurity Incident Disclosure

If the information called for by Item 1.05 is not determined or is unavailable at the time the Form 8-K is due, the new rules require companies to subsequently amend their Form 8-Ks to report such information after it is determined or becomes available. This approach differs from the proposed rules, which would have required companies to include specified disclosure about prior material cybersecurity incidents in subsequent annual and quarterly reports. The adopting release clarifies that the new requirement to amend previously filed Form 8-Ks does not create an obligation to update prior statements in an earlier Item 1.05 Form 8-K; however, the SEC cautions that companies may still have a duty to correct prior disclosure (i) to the extent that the company subsequently determines that it was untrue at the time it was made or (ii) if the disclosure becomes materially inaccurate after it was made. Given the nature of many cybersecurity incident investigations, this provision may require companies to make a series of filings to describe a single event.

Key Takeaways

• The rules’ “materiality” trigger remains tied to the traditional definition of “materiality” articulated by courts and the SEC.
• The deadline for filing is triggered upon determination that an incident was material and not discovery of the incident. To address concerns about potential delays in making materiality determinations, Instruction 1 to Item 1.05 specifies that companies must make their materiality determinations “without unreasonable delay” after discovery of the incident.
• Failure to timely file a report under Item 1.05 does not make a company ineligible to use Form S-3.
• Companies are required to file amendments to their initial Form 8-K to the extent information called for by Item 1.05 is not determined or is unavailable at the time the initial Form 8-K is due.

New Periodic Reporting Requirements

The rules establish a number of new periodic reporting requirements regarding a company’s cybersecurity practices and controls. These new requirements apply to a company’s annual report on Form 10-K and are summarized below.

Cybersecurity Risk Management and Strategy

New Item 106(b) of Regulation S-K requires a company to describe the processes it has, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. Companies are directed to address the following non-exclusive list of items in their disclosure, but are not required to file their cybersecurity policies and procedures:

• Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the company’s overall risk management system or processes;
• Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes;[4] and
• Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

The adopting release emphasizes that because the list of disclosures in Item 106(b)(1) is non-exclusive, companies should also disclose whatever other information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity risk management processes.

Additionally, Item 106(b)(2) requires companies to disclose whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and if so, how.

Board of Directors’ Oversight of Cybersecurity

New Item 106(c)(1) of Regulation S-K requires a company to describe the board of directors’ oversight of risks from cybersecurity threats, and, if applicable, identify any board committee or subcommittee responsible for such oversight and describe the processes by which the board or such committee is informed about such risks.

In a change from the SEC’s initial proposal, the rules do not require disclosure about the cybersecurity expertise, if any, of a company’s directors.

Management’s Role in Assessing and Managing Cybersecurity-Related Risks

New Item 106(c)(2) of Regulation S-K requires companies to describe management’s role in assessing and managing material risks from cybersecurity threats. Companies are directed to consider disclosing the following as part of this description:

• Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise[5] of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Although the SEC declined to require disclosure under Items 106(b) and 106(c) in registration statements, the adopting release reiterated the SEC’s previous guidance that companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements.

Other Items

Foreign Private Issuers

The SEC amended Form 6-K to require foreign private issuers to furnish information about material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange or to securityholders. Similarly, the SEC amended Form 20-F to impose corresponding annual reporting obligations on foreign private issuers to describe their board of directors’ oversight of risks from cybersecurity threats and management’s roles in assessing and managing material risks from cybersecurity threats.

Compliance Timeline

Companies other than smaller reporting companies must begin complying with the new incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K on the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023. Smaller reporting companies must begin complying with the new incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K on the later of 270 days from the publication date of the adopting release in the Federal Register or June 15, 2024, representing an additional 180 days.

Companies must start complying with the new periodic reporting requirements in Item 106 of Regulation S-K beginning with annual reports for fiscal years ending on or after December 15, 2023.

All companies must tag both real-time and periodic disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Next Steps and Observations

The new rules represent significant new compliance obligations for companies, which should consider steps that they should take now to prepare for compliance, including:

• Evaluation and assessment of existing management and board oversight of cybersecurity risk;
• Evaluation and assessment of disclosure controls and procedures frameworks in place and the possible adjustments that would be required in order to comply with the rules’ real-time and periodic reporting requirements, including with respect to incidents occurring at third parties;
• Evaluation and assessment of cybersecurity governance programs, including applicable policies and procedures;
• The interplay between pre-existing cybersecurity incident reporting obligations and timing under sector-specific, state, or local notification laws and regulations and the materiality assessment that will be required under the new rules and securities law reporting requirements; and
• The company’s current level of incident response preparedness and training, and integration of these processes with the company’s disclosure controls and procedures.

Companies with December 31 fiscal years will also need to prepare new disclosure for Items 106(b) and 106(c) for inclusion in their next Annual Report on Form 10-K or 20-F, as applicable.