In a narrow 3-2 decision on July 26, the SEC adopted its final rule concerning cybersecurity risk management, strategy, governance, and incident disclosure (the “Final Rule”). Below we highlight some of the principal changes to the cybersecurity rules first proposed by the SEC more than 16 months ago.
Current Reporting (Form 8-K Item 1.05)
- Disclosure Without Unreasonable Delay Following Materiality Determination. As we discussed when we wrote about the proposed rule, it is notable that the SEC is focusing cybersecurity disclosure requirements on material cybersecurity incidents, as determined by the company that experienced the incident. The SEC retained the materiality determination and, in its Final Rule, will be requiring registrants to make a determination of materiality “without unreasonable delay” rather than “as soon as reasonably practicable” as contemplated by the proposed rule. This change with respect to the timing of disclosure acknowledges the complexity of investigating a cybersecurity incident and of working with advisors to formulate organizational consensus about the facts and impacts surrounding an incident. Compared to the proposed rule, companies will have incrementally more latitude to develop sufficient information about a cybersecurity incident, and once the materiality determination is made, without unreasonably delay, the company will be required to make its Form 8-K disclosure within four business days.
- Disclosure of Material Aspects and Impacts of the Cybersecurity Incident. With its Final Rule, the SEC has closely tied the required disclosure to the concept of materiality. If a registrant determines it has experienced a material cybersecurity incident, it will need to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” In effect, the disclosure requirements are narrowed by these thresholds and are more focused on material impacts and effects, rather than a mere description of the event.
- Potential Delay in Disclosure for Public Safety or National Security (Form 8-K, Item 1.05(c)). Where a substantial risk to public safety or national security would arise as a result of a disclosure, the Final Rule allows for a delayed filing upon a finding of substantial risk to public safety or national security by the U.S. Attorney General and a written notification of the same to the SEC.
- Expanded Definition of Cybersecurity Incident. The definition of “cybersecurity incident” has been modified in the Final Rule to account for not only an unauthorized occurrence of a cybersecurity incident, but also “a series of related unauthorized occurrences,” which seems aimed at driving companies to consider the collective impacts and risks of a series of related occurrences when making its determination with respect to the materiality of a cybersecurity incident as a whole.
- Disclosure of Technical Information about Planned Response Not Required. The Final Rule also clarifies that a registrant does not need to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
- Updated Incident Disclosure by Form 8-K Amendment Rather than Periodic Reporting. To the extent that the required disclosure is not determined or is unavailable at the time of the Form 8-K filing, the Final Rule requires that registrants so indicate in the initial Form 8-K filing and then provide the additional required information in a Form 8-K amendment (rather than in its Form 10-K or Form 10-Q as contemplated by the proposed rule). This Form 8-K amendment must be filed within 4 business days of such information becoming available or being determined.
- Untimely Filing and Form S-3 Eligibility. The Final Rule also makes clear that untimely filing will not lead to a loss of Form S-3 eligibility.
Periodic Reporting (Regulation S-K Item 106)
- Risk Management and Strategy. Periodic reporting on Form 10-K and Form 20-F must describe a registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes and must address a non-exhaustive list of processes, including the integration of these processes into the registrant’s overall risk management system or processes; the engagement of third parties to assist with cybersecurity risk management; and the registrant’s oversight and identification of cybersecurity risks associated with third-party service providers. Registrants must also describe whether and how risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations or financial condition.
- Governance: Board Oversight and Management’s Role. Registrants must describe the board’s oversight of risks from cybersecurity threats, and, if applicable, identify any board committee or subcommittee responsible for such oversight and describe the processes by which the board or such committee is informed about such risks. Registrants must also describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats, and must address a non-exhaustive list of disclosure items, including the management positions or committees responsible for assessing and managing such risks and their relevant expertise, and how related information is communicated through the organization, including to the board of directors or its committees or subcommittees.
- Director and Management Cybersecurity Expertise. Requirements to disclose board-level cybersecurity expertise have been removed, while management’s cybersecurity expertise must be disclosed. From a practical perspective, this disclosure is likely more meaningful as a company’s management team generally has more visibility and day-to-day decision-making with respect to architecting technical measures, policies, and meaningful operational practices that drive the success of a company’s cybersecurity program.
The Final Rule will take effect 30 days after the adopting release is published in the Federal Register. The Form 10-K and Form 20-F disclosures will be required for all registrants beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures for all registrants other than smaller reporting companies will be required beginning on the later of 90 days after the date of publication in the Federal Register, or December 18, 2023. Smaller reporting companies must begin complying with the Form 8-K disclosure requirements on the later of 270 days from the effective date of the Final Rule or June 15, 2024. All registrants must tag disclosures required under the Final Rule in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
While the SEC has long required companies to disclose information regarding cybersecurity incidents, the Final Rule reflects a more directed approach and greater focus on proactive risk identification and mitigation. Registrants could take the below steps in order to be better prepared to meet their disclosure obligations under the Final Rule:
- Revise incident response plans and other cybersecurity policies to structure and support rapid escalation procedures for making a materiality determination if a cybersecurity incident occurs.
- Establish procedures for disclosing additional required information about a cybersecurity incident to the extent such information is not determined or available for disclosure in the initial Form 8-K, to facilitate timely Form 8-K amendment filings as needed.
- Revisit and refine process and scope for board and management oversight of cybersecurity risks and processes for addressing cybersecurity threats.
- Review and update organizational disclosures for periodic reporting under Regulation S-K Item 106 to ensure each disclosure element in the Final Rule is being addressed and followed in practice. Review management’s cybersecurity expertise as well in order to prepare for related disclosure.