On July 26, 2023, the US Securities and Exchange Commission (SEC) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”).
Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures in their periodic filings (e.g., Form 10-K) regarding cybersecurity risk management, strategy, and governance; (ii) issuers to report material cyber security incidents in a Form 8-K; and (iii) comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. The Final Rules differ from the Proposed Rules on certain issues, which we discuss below.
The timing of the effectiveness of the Final Rules is discussed below, but it is possible that disclosures of material cyber incidents on a Form 8-K or Form 6-K could be required by late December 2023.
What are our key takeaways?
- 4-Day Reporting Timeline for Material Cybersecurity Incidents. Like the Proposed Rules, the Final Rules require companies to disclose material cybersecurity incidents in a Form 8-K (or Form 6-K for Foreign Private Issuers) within four business days of a determination that the incident is material. Importantly, the Final Rules clarify that companies must determine the materiality of an incident without unreasonable delay following discovery of an incident. Once a materiality determination is made, the company has four business days to file a Form 8-K.
- “Cybersecurity Incident” is Broadly Defined. The Final Rules broadly define “cybersecurity incident” to include “a series of related unauthorized occurrences.” For the reasons noted below, the breadth of this definition will likely require management and their information security teams to continuously monitor both current and historic incidents in order to determine whether there is any “sameness” to these intrusions, or unauthorized occurrences.
- Third-Party and Cloud Breaches are Included. Like the Proposed Rules, the Final Rules apply to cybersecurity incidents that materially impact the company when they occur on information systems “owned or used by” the company, including vendors’ systems and cloud infrastructure, regardless of where those servers reside. This is a broad definition that requires companies to assess promptly whether any vendors’ security incidents may cause a material impact to them.
- SEC Backs Off of the Express “Aggregation” Requirement (Sort Of). The Proposed Rules would have required issuers to make disclosures of a series of previously undisclosed individually immaterial cybersecurity incidents, which in the aggregate have been determined to be material. The Final Rules dropped the express aggregation requirement, but still require companies to monitor prior intrusions and compare them to present ones for disclosure purposes. Specifically, the Final Rules state that when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, disclosure may be required even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. In a statement accompanying the release of the Final Rules, Commissioner Hester Peirce raised concerns that the Final Rules don’t adequately address problems in this portion of the Proposed Rules, asking “[w]ill companies, under this new approach, nevertheless have to develop new costly systems to track immaterial events?” and noting that the Final Rules leave “related” undefined. SEC.gov | Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
- What Must Be Reported In The Original Form 8-K/Form 6-K? Material aspects related to nature, scope and timing of the incident must be included in the disclosure, along with information regarding the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. If any of the aforementioned information is not determined or is unavailable at the time of filing, a statement to this effect must be included in the Form 8-K and the company must file an amendment to the Form 8-K containing such information within four business days after the information is determined or becomes available. Companies are not required, as they would have been under the Proposed Rules, to disclose whether an incident is ongoing, although the SEC notes that the nature of the incident may necessitate discussions of matters related to remediation like business value loss and asset loss.
- Permissible Delay to the Four-Day Reporting Standard. Notwithstanding the above, companies may delay filing an Item 1.05 Form 8-K if the United States Attorney General (AG) determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The permitted delay will be up to 30 days following the date when disclosure would be required to be provided, however, this timeframe can be extended for an additional period of up to 30 days if the AG determines that the risk to national security or public safety continues to exist.
- New Requirements to Disclose Cybersecurity Risk Processes. Companies will be required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in their annual reports on Form 10-K or Form 20-F, as applicable, under new Item 106 of Regulation S-K. Importantly, however, the Final Rules clarify that companies are not required to disclose specific or technical information about their planned response to cybersecurity incidents or specific information related to their cybersecurity systems, networks, or vulnerabilities in such detail that might impede the companies’ response to or remediation of cybersecurity incidents.
- New Requirement to Disclose Management Cybersecurity Expertise. Under Item 106 of Regulation S-K, companies will also be required to describe in their annual reports on Form 10-K or Form 20-F, as applicable, their board of directors’ oversight of cybersecurity threats and risks, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats or incidents. The Final Rules do not, however, include the previously proposed requirement that companies disclose cybersecurity expertise of board members.
- Continued Obligation to Disclose Cybersecurity Risks. Companies will be obligated to disclose their cybersecurity risks annually in their Form 10-Ks or Form 20-Fs, including with respect to any previous cybersecurity incidents that have materially affected the company or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. Companies also have an obligation to explain how such cybersecurity incidents either affected or are reasonably likely to affect the company.
When do the requirements become effective?
The Final Rules will become effective 30 days following publication of the adopting release in the Federal Register. Companies will be required to make the disclosure required under Item 106 of Regulation S-K with respect to their procedures to address cybersecurity threats and risk oversight structure beginning with annual reports on Form 10-K or 20-F, as applicable, for their first fiscal year that ends on or after December 15, 2023.
The requirement to disclose material cybersecurity incidents on Form 8-K or Form 6- K, as applicable, will be applicable to all issuers (other than smaller reporting companies) on the later of the date that is 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies are given an additional 180 days from the effective date for non-smaller reporting companies to comply with this requirement.
What should companies consider?
Board and Leadership Expertise. Companies will need to consider cybersecurity expertise among their management. And, while the Final Rules dispense with the proposed requirement to disclose board-level expertise, boards of directors need to be closely involved in the oversight of cyber risk. Companies will need to have processes and policies in place to exercise appropriate oversight of cybersecurity risk, including ensuring the board is informed about these risks. This will allow companies to make appropriate disclosures in their annual reports.
Implement Process to Identify Material Cybersecurity Incidents. In order to comply with the four-day reporting timeline, companies will need to establish a clear process through which the Information Security/Information Technology team can bring potentially material cybersecurity incidents to the attention of the legal team in a consistent and timely manner. As a reminder, this process will likely be viewed by the SEC as a necessary component of effective disclosure controls and procedures. This specifically includes monitoring to assess whether there is any reason to believe that a current cyber incident/intrusion being experienced by the company is related to past intrusions. Pursuing breakdowns in these procedures as a stand-alone legal theory of liability is a favorite tool employed by SEC Enforcement in cyber disclosure enforcement actions.
Implement Process to Manage Cybersecurity Risks. In addition to establishing a well-oiled incident response process through which potentially material cybersecurity incidents are identified, companies will need to revisit all other processes and procedures related to the management of cybersecurity risks, including, for example, their Business Continuity and Disaster Recovery Procedures.
Review Contractual Obligations for Reporting Cybersecurity Incidents. Given that the Final Rules apply to cybersecurity incidents that materially impact the company when they occur on information systems “owned or used by” the company, including vendors’ systems and cloud infrastructure, companies should review their agreements with third parties such as vendors, to ensure that they will be notified in a timely manner of cybersecurity incidents that may be material.