On July 26, 2023, the Securities and Exchange Commission (SEC) adopted final rules requiring public companies to disclose material cybersecurity incidents and annually disclose details of their cybersecurity risk management, strategy and governance. The SEC's new rules add a significant layer to the security governance landscape of U.S. publicly traded companies, representing a significant step toward standardizing disclosure of corporate cybersecurity governance, incidents, and risk management to investors and consumers.

Key Elements

The final rules introduce various requirements regarding specific incidents as well as ongoing oversight, so as to provide a clear framework for the disclosure of cybersecurity incidents and governance:

  • Material Cybersecurity Incidents Disclosure: Companies are obligated to report any material cybersecurity incidents under new Item 1.05 of Form 8-K within four business days following the company's determination of the incident's materiality. This mandates organizations to quickly assess the severity of any cybersecurity breach and report it in a timely manner.
  • Annual Disclosure of Cybersecurity Risk Management and Strategy: The new rules, reflected in Item 106 of Regulation S-K, impacts annual disclosures and will require companies to provide more detailed insight into their cybersecurity risk management and strategy, including their processes for managing cybersecurity threats, and whether these threats have had, or are likely to have, material effects on the company.
  • Cybersecurity Governance: Companies are required to provide further details in their annual reports about oversight of cybersecurity risks by the board and management and how they are managing these risks at different levels of their organizational structure.

Similar disclosures will be required by foreign private issuers.

Key Dates

  • December 15, 2023: Companies must make the disclosures required under Regulation S-K Item 106 (and comparable requirements in Form 20-F) about cybersecurity beginning with annual reports for fiscal years ending on or after this date.
  • December 18, 2023: SEC begins enforcement of Form 8-K disclosure for cybersecurity incidents, other than smaller reporting companies (SRCs).
  • June 15, 2024: SEC begins enforcement of disclosure for cybersecurity incidents for SRCs.

These strict enforcement timelines may put pressure on companies to review their current cybersecurity programs to protect against any vulnerabilities public disclosure may expose, and to ensure compliance with disclosure procedures.

Material Cybersecurity Incident Disclosure

The rule's biggest impact is public companies will be required to file a Form 8-K within four business days of determining that a cybersecurity event is "material." A cybersecurity incident is "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a [company]'s information systems or any information residing therein."

The key consideration here, as with many disclosure considerations, is the company's determination of when an event reaches the "materiality" threshold – a subjective and often difficult determination. Upon discovering a cybersecurity incident, companies are now required to make a determination on materiality "as soon as reasonably practicable" and without "unreasonable delay." Materiality is based on the longstanding principle that there is a substantial likelihood an investor would consider information about the incident to be important in making an investment decision, or if it would significantly alter the "total mix" of information made available to the investing public. In making this determination, companies must consider both qualitative as well as quantitative factors, such as reputation, business relationships, competitiveness, and the possibility of litigation or regulatory action. The original proposing release included these examples of possibly material incidents:

  • Compromise of the confidentiality, integrity, or availability of an information asset (data, system, or network); or violation of the company's security policies or procedures—whether accidental or intentional;
  • Degradation, interruption, loss of control, damage to, or loss of operational technology systems;
  • Unauthorized party accessed, or a party exceeded authorized access, and altered, or stole sensitive business information, personally identifiable information, intellectual property, or information that resulted, or may result, in a loss or liability for the company;
  • Malicious actor offered to sell or threatened to publicly disclose sensitive company data; or
  • Malicious actor demanded payment to restore company data that was stolen or altered.

The disclosure must "describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations." In an Instruction, the SEC took into account the concerns expressed by commentators that certain disclosures could give the malicious actor a roadmap for further attacks, stating, "registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident." The final rule requires amended filings to disclose additional or corrected information as learned about an incident – which likely will be necessary given that an incident's scope and impact generally will stretch well beyond the four-business day filing deadline.

A determination by the U.S. Attorney General that disclosure would pose a substantial risk to national security or public safety can provide a 30-day extension to the filing deadline.

Annual Disclosure of Cybersecurity Risk Management and Strategy

New Item 106 of Regulation S-K requires companies to delineate their processes for assessing, managing, and identifying material cybersecurity threats in their Annual Reports on Form 10-K (or Form 20-F as applicable). This strategic move, aimed at replacing "policies and procedures" with "processes," marks an important shift away from detailed operational specifics that could potentially be weaponized by malicious cyber actors.

A cybersecurity threat is "any potential unauthorized occurrence on or conducted through a [company]'s information systems that may result in adverse effects on the confidentiality, integrity or availability of a [company]'s information systems or any information residing therein."

As with the intention of real-time reporting of material cybersecurity events, the annual disclosures should include details of the following in addition to "whatever information necessary" for a reasonable investor to understand the company's cybersecurity processes:

  • Whether the processes are integrated into overall risk management system or processes;
  • Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
  • Whether the company has processes to oversee and identify risks from cybersecurity threats associated with its use of any third-party service provider.

Companies must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.

Cybersecurity Governance

A cornerstone of new Item 106 involves governance disclosure. Companies must now outline the role their board of directors plays in overseeing cybersecurity threats. This includes identifying any board committee or subcommittee responsible for this oversight and explaining how they are informed about these risks. Although the requirement to disclose cybersecurity expertise within the board has been omitted from the final rule, the SEC still encourages companies to consider this if they deem it necessary for their cyber-risk management.

Furthermore, the rule necessitates a description of the role of management in assessing and mitigating material risks from cybersecurity threats. This means companies should identify specifically who is responsible for these tasks, their relevant expertise, and the processes they use to stay informed and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents.

Companies will be required to describe in their Form 10-K the board of directors' oversight and awareness of risks from cybersecurity threats and management's role and relevant expertise in assessing and managing material risks from cybersecurity threats. "Relevant expertise" for purposes of management's disclosure may include prior cybersecurity work experience, relevant certifications, and other cybersecurity background. Importantly, the SEC did not adopt the proposed requirement to disclose board cybersecurity expertise or certifications.

Key Takeaways and Next Steps for Companies

The implications of this new rule are significant, and companies should begin immediate planning and implementation to ensure compliance.

Firstly, it is essential that companies review their cybersecurity incident response playbooks, ensuring they align with the processes outlined in the new Form 8-K requirements. As the rule highlights, companies must not "unreasonably delay" the materiality determination for a cybersecurity incident. This underscores the need for clear communication channels between the cybersecurity team, legal team, disclosure committee, and the board of directors to facilitate effective and timely assessment and escalation of detected cybersecurity incidents.

Moreover, companies should document both their materiality analysis and the time taken to assess materiality. They also need to review their processes for managing cybersecurity risk, in light of the final rule's emphasis on disclosing the company's risk management strategy and governance. Importantly, there are no "standard" or "template" forms that will meet the new reporting obligations. Companies will need to appropriately tailor descriptions of the nature and possible impact of the incident on Form 8-K as well as provide an accurate description of cybersecurity processes, use of outside consultants, and assessment of risks posed by third-party service providers in annual reports.

Companies evaluating the potential impact of the adopted rules should evaluate their existing cybersecurity plans, policies and protocols, in light of the newly adopted four business-day deadline to disclose material cybersecurity incidents and other enhanced disclosure obligations. As part of their cybersecurity plans, policies and protocols, companies should consider the process by which they will determine the materiality of a cyber incident. This will require having a top-down understanding of the company and the role cybersecurity plays throughout the enterprise. It will also require a direct, ongoing, and rapid communications process between the incident response team and other relevant groups within a company, including the legal department.

Legal Support

Drafting disclosures regarding material cybersecurity incidents and a company's risk management processes requires a careful balance. Companies must meet their obligation to disclose material information without unintentionally exposing weaknesses in their cybersecurity posture that could be further exploited by malicious cyber actors.

To comply with the terms of this requirement, publicly traded companies should seek the assistance of experienced outside counsel to:

  • Review existing incident response procedures and make necessary adjustments to comply with the requirements of the new Form 8-K. This may include developing protocols for assessing and documenting the materiality of a cybersecurity incident in a timely manner.
  • Ensure disclosure controls and procedures are designed to facilitate effective communication between the cybersecurity team, the legal team, the disclosure committee, and the board of directors.
  • Assist in carefully documenting materiality analysis and the reasonableness of the time taken to assess materiality. This will be critical under the new rules.
  • Advise on navigating the narrow exceptions for delaying the reporting of material cybersecurity incidents, particularly the requirement to obtain the Attorney General's determination that disclosure poses a substantial risk to national security or public safety.
  • Assist in the assessment of current cybersecurity risk management processes and align them with the details required to be disclosed under the final rule.
  • Assist in drafting accurate, comprehensive, but carefully worded disclosures that meet the requirements given the potential for greater scrutiny and potential liability from public disclosures.
  • Help align new cybersecurity disclosures with existing risk factor and proxy statement disclosures to maintain consistency and compliance.

With the December 2023 deadline fast approaching, companies should take a proactive approach in organizing disclosures under annual reports and be prepared for potential Form 8-K disclosures. Buchanan has a team of committed professionals in its Securities Practice Group and Cybersecurity and Data Privacy Group ready to assist registrants in evaluating their existing cybersecurity framework so as to be prepared to meet their new disclosure obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.