Search for:

United States: SEC adopts final cybersecurity rules

By , , , , and 8 Mins Read

In brief

On July 26, 2023, the US Securities and Exchange Commission (SEC) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”).

Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures in their periodic filings (e.g., Form 10-K) regarding cybersecurity risk management, strategy, and governance; (ii) issuers to report material cyber security incidents in a Form 8-K; and (iii) comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. The Final Rules differ from the Proposed Rules on certain issues, which we discuss below.

The timing of the effectiveness of the Final Rules is discussed below, but it is possible that disclosures of material cyber incidents on a Form 8-K or Form 6-K could be required by late December 2023. 

In depth

What are our key takeaways?

  • 4-Day Reporting Timeline for Material Cybersecurity Incidents. Like the Proposed Rules, the Final Rules require companies to disclose material cybersecurity incidents in a Form 8-K (or Form 6-K for Foreign Private Issuers) within four business days of a determination that the incident is material. Importantly, the Final Rules clarify that companies must determine the materiality of an incident without unreasonable delay following discovery of an incident. Once a materiality determination is made, the company has four business days to file a Form 8-K.
  • “Cybersecurity Incident” is Broadly Defined. The Final Rules broadly define “cybersecurity incident” to include “a series of related unauthorized occurrences.” For the reasons noted below, the breadth of this definition will likely require management and their information security teams to continuously monitor both current and historic incidents in order to determine whether there is any “sameness” to these intrusions, or unauthorized occurrences.
  • Third-Party and Cloud Breaches are Included. Like the Proposed Rules, the Final Rules apply to cybersecurity incidents that materially impact the company when they occur on information systems “owned or used by” the company, including vendors’ systems and cloud infrastructure, regardless of where those servers reside. This is a broad definition that requires companies to assess promptly whether any vendors’ security incidents may cause a material impact to them.
  • SEC Backs Off of the Express “Aggregation” Requirement (Sort Of). The Proposed Rules would have required issuers to make disclosures of a series of previously undisclosed individually immaterial cybersecurity incidents, which in the aggregate have been determined to be material. The Final Rules dropped the express aggregation requirement, but still require companies to monitor prior intrusions and compare them to present ones for disclosure purposes. Specifically, the Final Rules state that when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, disclosure may be required even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. In a statement accompanying the release of the Final Rules, Commissioner Hester Peirce raised concerns that the Final Rules don’t adequately address problems in this portion of the Proposed Rules, asking “[w]ill companies, under this new approach, nevertheless have to develop new costly systems to track immaterial events?” and noting that the Final Rules leave “related” undefined. SEC.gov | Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. 
  • What Must Be Reported In The Original Form 8-K/Form 6-K? Material aspects related to nature, scope and timing of the incident must be included in the disclosure, along with information regarding the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. If any of the aforementioned information is not determined or is unavailable at the time of filing, a statement to this effect must be included in the Form 8-K and the company must file an amendment to the Form 8-K containing such information within four business days after the information is determined or becomes available. Companies are not required, as they would have been under the Proposed Rules, to disclose whether an incident is ongoing, although the SEC notes that the nature of the incident may necessitate discussions of matters related to remediation like business value loss and asset loss.
  • Permissible Delay to the Four-Day Reporting Standard. Notwithstanding the above, companies may delay filing an Item 1.05 Form 8-K if the United States Attorney General (AG) determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The permitted delay will be up to 30 days following the date when disclosure would be required to be provided, however, this timeframe can be extended for an additional period of up to 30 days if the AG determines that the risk to national security or public safety continues to exist.
  • New Requirements to Disclose Cybersecurity Risk Processes. Companies will be required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in their annual reports on Form 10-K or Form 20-F, as applicable, under new Item 106 of Regulation S-K. Importantly, however, the Final Rules clarify that companies are not required to disclose specific or technical information about their planned response to cybersecurity incidents or specific information related to their cybersecurity systems, networks, or vulnerabilities in such detail that might impede the companies’ response to or remediation of cybersecurity incidents.
  • New Requirement to Disclose Management Cybersecurity Expertise. Under Item 106 of Regulation S-K, companies will also be required to describe in their annual reports on Form 10-K or Form 20-F, as applicable, their board of directors’ oversight of cybersecurity threats and risks, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats or incidents. The Final Rules do not, however, include the previously proposed requirement that companies disclose cybersecurity expertise of board members.
  • Continued Obligation to Disclose Cybersecurity Risks. Companies will be obligated to disclose their cybersecurity risks annually in their Form 10-Ks or Form 20-Fs, including with respect to any previous cybersecurity incidents that have materially affected the company or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. Companies also have an obligation to explain how such cybersecurity incidents either affected or are reasonably likely to affect the company.

When do the requirements become effective?

The Final Rules will become effective 30 days following publication of the adopting release in the Federal Register. Companies will be required to make the disclosure required under Item 106 of Regulation S-K with respect to their procedures to address cybersecurity threats and risk oversight structure beginning with annual reports on Form 10-K or 20-F, as applicable, for their first fiscal year that ends on or after December 15, 2023. 

The requirement to disclose material cybersecurity incidents on Form 8-K or Form 6- K, as applicable, will be applicable to all issuers (other than smaller reporting companies) on the later of the date that is 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies are given an additional 180 days from the effective date for non-smaller reporting companies to comply with this requirement.

What should companies consider?

Board and Leadership Expertise. Companies will need to consider cybersecurity expertise among their management. And, while the Final Rules dispense with the proposed requirement to disclose board-level expertise, boards of directors need to be closely involved in the oversight of cyber risk. Companies will need to have processes and policies in place to exercise appropriate oversight of cybersecurity risk, including ensuring the board is informed about these risks. This will allow companies to make appropriate disclosures in their annual reports.

Implement Process to Identify Material Cybersecurity Incidents. In order to comply with the four-day reporting timeline, companies will need to establish a clear process through which the Information Security/Information Technology team can bring potentially material cybersecurity incidents to the attention of the legal team in a consistent and timely manner. As a reminder, this process will likely be viewed by the SEC as a necessary component of effective disclosure controls and procedures. This specifically includes monitoring to assess whether there is any reason to believe that a current cyber incident/intrusion being experienced by the company is related to past intrusions. Pursuing breakdowns in these procedures as a stand-alone legal theory of liability is a favorite tool employed by SEC Enforcement in cyber disclosure enforcement actions.

Implement Process to Manage Cybersecurity Risks. In addition to establishing a well-oiled incident response process through which potentially material cybersecurity incidents are identified, companies will need to revisit all other processes and procedures related to the management of cybersecurity risks, including, for example, their Business Continuity and Disaster Recovery Procedures.

Review Contractual Obligations for Reporting Cybersecurity Incidents. Given that the Final Rules apply to cybersecurity incidents that materially impact the company when they occur on information systems “owned or used by” the company, including vendors’ systems and cloud infrastructure, companies should review their agreements with third parties such as vendors, to ensure that they will be notified in a timely manner of cybersecurity incidents that may be material.

Categories:
Author

Brian Hengesbaugh is Chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.

Author

Jerome Tomas is Chair of the Firm's SEC and Financial Institutions Enforcement Group and co-chair of the North America Government Enforcement practice group. He has been recognized by Chambers for White Collar Crime & Government Investigations. He represents multinational companies faced with government investigations and conducts internal investigations to assess and remediate legal and compliance concerns in domestic and global operations. With his experience as a former member of the SEC Division of Enforcement’s Cyberforce, the agency’s internet and cyber fraud unit, Jerome regularly advises companies involved in data security breaches and incident response. Jerome now leads teams of lawyers to address government law enforcement perspectives and where necessary, meet and refute government legal theories of corporate and individual liability head-on, while also being pragmatic and business-oriented for management and boards to compete internationally.

Author

Cyrus Vance Jr. has earned a well-deserved international reputation as a trial attorney with a proven track record in high-stake litigation and global investigations. As the Co-Chair of Baker McKenzie's North America Litigation and Government Enforcement Practice, Cyrus is well-known for his expertise in white collar criminal investigations, complex civil and criminal litigation, sanctions enforcement, compliance and cybersecurity. With over three decades of experience in both public and private sector, Cyrus provides invaluable guidance to clients navigating cross-border investigations, enforcement matters, and cybersecurity incidents.
Prior to joining the Firm, Cyrus served three consecutive four-year terms as Manhattan District Attorney, overseeing a team of over 600 prosecutors. He handled landmark criminal prosecutions, including the successful litigation before the U.S. Supreme Court in Trump v. Vance and the conviction of Harvey Weinstein on two felony sex crimes. He also managed more than 100,000 cases annually, including complex white collar and business crimes both domestically and internationally. Cyrus regularly collaborated with regulatory and crime-fighting partners such as the City of London Police, Paris Prosecutors' Office, Singapore Attorney General, Europol and Interpol, and is known for his ability to build and manage teams collaboratively across borders and agencies.

Author

Sali G. Wissa is a partner in the Transactional Practice Group of Baker McKenzie in Chicago.

Author

Christopher M. Bartoli provides advice on corporate and securities matters to clients in various industries including technology, healthcare, energy, real estate, manufacturing, travel and consumer products. He serves on the Firm's Global Capital Markets Steering Committee and is a member of the American Bar Association's Task Force on Public Company Acquisitions, the Executives' Club of Chicago, the Illinois Bar Association and the New Jersey Bar Association.

Author

Ashley Newsome is an associate in the Corporate & Securities Practice Group of Baker McKenzie, Chicago. Prior to joining the Firm, Ashley was an associate editor of the American Intellectual Property Law Association Quarterly Journal.

Related Posts

Write A Comment