On July 26, 2023, the Securities and Exchange Commission (the “SEC”) voted 3-2 to adopt new cybersecurity disclosure rules for public companies. The purpose of the rules, which build upon interpretive guidance provided in 2011 and 2018, is to better inform investors about public companies’ risk management, strategy, and governance related to cybersecurity, as well as to provide timely notification to investors of material cybersecurity incidents. Specifically, the adopting rule release posits that “investors need timely, standardized disclosure regarding cybersecurity incidents materially affecting registrants’ businesses, and that the existing regulatory landscape is not yielding consistent and informative disclosure of cybersecurity incidents from registrants.”
Form 8-K Disclosure of Material Cybersecurity Incidents
The final rules require registrants to disclose material cybersecurity incidents in a Form 8-K (under a new Item 1.05) within four business days after the registrant determines that it has experienced a material “cybersecurity incident,” which is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Following are some additional points about the new incident disclosure requirements:
- The Item 1.05 8-K must describe the material aspects of (i) the nature, scope, and timing of the cybersecurity incident and (ii) its impact or reasonably likely impact on the registrant, including its financial condition and results of operations.
- Registrants should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident, including, for example, reputational harm, the impact on the registrant’s relationships with customers and vendors, and the possibility of litigation or regulatory investigations.
- Disclosure on Form 8-K may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The SEC will consider additional requests for delay and may grant relief through exemptive orders.
- The proposed rule requiring updated disclosure in Forms 10-Q and 10-K regarding previously disclosed cybersecurity events was not adopted in the final rules. Instead, the SEC has added an Instruction 2 to Item 1.05 of Form 8-K to require a Form 8-K amendment to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.
- These disclosure requirements are narrower than the scope of required disclosures in the proposed rules. The final rules did not include the proposed requirement to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate. The final rules also did not include the proposed requirement for disclosure of the incident’s remediation status, whether it is ongoing, and whether data were compromised.
Importantly, the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.
Form 10-K Disclosure of Cybersecurity Risk Management, Strategy and Governance
The final rules add a new Item 106 to Regulation S-K, which calls for registrants to make the following cybersecurity disclosures in their Form 10-K filings:
- A description of their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, business strategy, results of operations, or financial condition, and if so, how. Disclosure should include:
- Whether and how the described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
- A description of the board’s oversight of risks from cybersecurity threats and, if applicable, the identification of any board committee or subcommittee responsible for such oversight and a description of the processes by which the board or committee is informed about such risks.
- A description of management’s role in assessing and managing material risks from cybersecurity threats.
The proposed rules would have amended Item 407 of Regulation S-K to require disclosure in proxy statements and 10-Ks regarding whether any member of the registrant’s board of directors has cybersecurity expertise, and, if so, the registrant would have needed to disclose the name of the director and fully describe the nature of the expertise. The SEC did not adopt these proposed amendments to Item 407, and, accordingly, such disclosure will not be required.
The final rules also require cybersecurity disclosures to be presented in inline eXtensible Business Reporting Language (iXBRL) format, subject to a one year transition period as noted in the table below.
Next Steps
The final rules require registrants to make their materiality determinations “without unreasonable delay,” which underscores the need to have effective disclosure controls in place to ensure that those within the registrant’s organization who become aware of any cybersecurity incident immediately report the incident to management and others within the company responsible for making materiality and disclosure determinations. In advance of the effective date for the Form 8-K reporting requirements, registrants should review their disclosure controls, including incident response plans, and ensure they are updated to require such immediate reporting of cybersecurity incidents and implement training or other reminders for employees on the importance of immediate reporting of cyber events.
Effective Date and Transition Period
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The table below provides the compliance dates for the Form 8-K and Form 10-K disclosures and the Inline XBRL requirements: