On July 26, 2023, in a 3-2 vote, the Securities and Exchange Commission (the “SEC”) adopted new rules for public companies that will require disclosures regarding cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance.
The new rules will dramatically affect the way public companies disclose cyber incidents and matters relating to their cybersecurity oversight. These new disclosures represent a significant expansion of existing SEC disclosure guidance, which dates back to 2011 and 2018 (see our prior post). In adopting the new requirements, the SEC confirmed that the 2018 Interpretive Release and 2011 Staff Guidance remain applicable and should be used to inform potential disclosure obligations relating to cyber incidents that are not specifically addressed in these new requirements.
The new rules and amendments include current and periodic reporting requirements, with disclosures required in Forms 8-K, 6-K, 10-K and 20-F, and associated inline XBRL tagging requirements. The new requirements apply broadly to all public companies, including foreign private issuers, emerging growth companies and smaller reporting companies. We have outlined below the timing of implementation of the new rules, but in general companies other than smaller reporting companies will first be required to comply with the new current reporting requirements in Forms 8-K and 6-K before year-end. The annual reporting requirements in Forms 10-K and 20-F apply to all companies starting with their Forms 10-K and 20-F filed in early 2024.
This blog post is intended to provide a high-level overview of the new rules, and a forthcoming WilmerHale client alert will provide greater detail, analysis and recommendations.
Summary of New Disclosure Requirements in Current Reports
Under new Item 1.05 of Form 8-K, a registrant that experiences a material cybersecurity incident must report the incident within four business days of when the registrant determines that such an incident is material to the registrant. This determination is to be made “without unreasonable delay after discovery of the incident.” Furthermore, the disclosure must include “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
Notably, the rule does not require companies to discuss the cybersecurity incident’s remediation status, if it is ongoing, or whether data were compromised. Nor does the rule require disclosure of the specific or technical information about the registrant’s planned response or its cybersecurity systems, networks and devices, or potential system vulnerabilities to such a degree of detail as would impede the registrant’s response or remediation of the incident.
The SEC has defined “cybersecurity incident” broadly to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The adopting release sets forth examples of incidents that might trigger disclosure, including incidents occurring on third-party systems or accidental exposures of customer data that results in unauthorized access to that data.
Whether a cybersecurity incident is “material” is to be analyzed under the traditional securities law definition of materiality, meaning an incident is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” As explained in the adopting release, qualitative and quantitative factors must both be considered when assessing the materiality of a cybersecurity incident.
In a departure from the proposal, Item 1.05 allows for delayed Form 8-K reporting in very limited circumstances. Most notably, registrants may delay filing an Item 1.05 Form 8-K where the United States Attorney General determines that disclosure under Item 1.05 poses a substantial risk to national security or public safety, and the United States Attorney General notifies the SEC of such determination in writing. Under these circumstances, the registrant may delay providing an Item 1.05 Form 8-K filing for the time period specified by the United States Attorney General, which may be up to 30 days, subject to an additional extension period of up to another 30 days. In extraordinary circumstances involving national security (but not public safety), a further extension may be available.
The SEC acknowledged in its adopting release that certain information responsive to the requirements of new Item 1.05 may not be determined or might be unavailable at the time the Item 1.05 Form 8-K is required to be filed. In such case, (i) the registrant must include a statement to this effect in its Form 8-K and (ii) file an amendment to the initial Form 8-K within four business days after the registrant, without unreasonable delay, determines such information or after such information becomes available.
Similar to other Form 8-K items that rely on materiality determinations, a registrant’s untimely filing of an Item 1.05 Form 8-K will not result in a loss of Form S-3 eligibility. Further, Rules 13a-11 and 15d-1 have been amended to include new Item 1.05 of Form 8-K in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) and Rule 10b-5 of the Exchange Act.
Summary of New Disclosure Requirements in Annual Reports
New Item 1C to Form 10-K directs registrants to provide the information required by new Item 106 of Regulation S-K. At a high level, registrants must disclose:
- company processes, if any, to assess, identify, and manage material cyber security risks;
- management’s role and expertise in assessing and managing material cybersecurity risks; and
- the board of directors’ oversight of cybersecurity risks.
Additionally, registrants will be required to address whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. In a departure from the proposed rule, disclosure about the cybersecurity expertise of a registrant’s board members is not required. Disclosure is required, however, of the relevant experience of members of management who are responsible for assessing and managing cybersecurity risk, which need only be in such detail as “necessary to fully describe the nature of the expertise.” This may include prior cybersecurity work experience, any relevant degrees or certifications, or any knowledge, skills or additional background in cybersecurity.
Timing
The above changes become effective 30 days from publication in the Federal Register. The following chart summarizes the compliance dates, including applicable transition delays that apply to smaller reporting companies: