SEC Adopts Cybersecurity Disclosure Rules
On July 26, the Securities and Exchange Commission, by a 3-2 vote, adopted final rules on cybersecurity disclosure. The rules are a modified version of proposals published for public comment in 2022. See SEC Proposes Cyber Risk Management and Attack Reporting Requirements, March 2022 Update. The SEC’s objective in adopting these rules is to standardize the content and timing of disclosures regarding cybersecurity. In the SEC’s press release announcing adoption of the rules, SEC Chair Gensler states, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Overview of Cybersecurity Disclosures
The SEC’s release adopting the new rules contains this chart summarizing the new requirements.
Source: SEC Release No. 33-11216, pages 12-13 (footnote omitted). FPIs are foreign private issuers.
Cybersecurity Incident Disclosure
As reflected in the chart, new Item 1.05 of Form 8-K will require reporting companies to disclose any cybersecurity incident the company decides is material within four days of determining the materiality of the incident. The company may delay disclosure for 30 days if the Attorney General determines that disclosure of the incident poses a substantial risk to national security or public safety and notifies the company and the SEC of this of this determination in writing. (The practicality of obtaining such a determination from the Attorney General within the four-day window seems remote at best.)
For U.S. companies, incident disclosure must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Non-U.S. companies must furnish (not file) information on material cybersecurity incidents that any foreign jurisdiction requires them to disclose.
Only material events must be disclosed, and determining materiality will be one of the key compliance challenges. Disclosure is triggered, not by the discovery or occurrence of the incident, but by the company’s determination that it is material. Companies must decide whether an incident is material “without unreasonable delay” after its discovery. The materiality of cybersecurity incidents should be evaluated based on the general standard for securities law materiality set out in Supreme Court case law -- information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if the information would significantly alter the “total mix” of information made available. Materiality determinations are often not clearcut, and the SEC’s release adopting the rules seems to encourage companies to take a broad view when applying the concept to cyber incidents:
“[T]he material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, * * * whereas a cybersecurity incident that results in the theft of information may not be deemed material based on quantitative financial measures alone, it may in fact be material given the impact to the registrant that results from the scope or nature of harm to individuals, customers, or others, and therefore may need to be disclosed.”
Unlike the proposal, the final rules do not contain a requirement that companies update their Form 8-K disclosures concerning cybersecurity incidents in periodic reports. Instead, Item 1.05 provides that the initial Form 8-K must include a statement identifying any required information that is not determined or is unavailable at the time of the filing and that a Form 8-K amendment must be filed within four business days after such information becomes available.
Cybersecurity Risk Management and Governance Disclosure
New Item 106 of Regulation S-K will require annual disclosure concerning management and board oversight of cybersecurity risk. As to management, companies must describe the processes, if any, by which management assesses, identifies, and manages material risks from cybersecurity threats and the management positions or committees responsible for assessing and managing cybersecurity risk, including their relevant expertise. Companies must also disclose the material effects, or reasonably likely material effects, of risks from cybersecurity threats and previous cybersecurity incidents on their business strategy, results of operations or financial condition.
As to the board, disclosure must include whether management reports information about cybersecurity risks to the board and the board’s role in overseeing cybersecurity threat risks. Any board committee or subcommittee that oversees cybersecurity risks must be identified, along with the processes by which management informs the committee about such risks. (The Commission did not adopt the aspect of the proposal that would have required disclosure of cybersecurity expertise, if any, of the company’s directors.)
The new rules become effective 30 days following publication in the Federal Register. (The effective date is therefore September 5, 2023.) The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning on December 18, 2023. Smaller reporting companies have an additional 180 days before they must begin providing the Form 8-K disclosure.
Comment: In many cases, determining whether a cybersecurity incident is material “without unreasonable delay” after its discovery and then, within four business days, making a filing with the SEC describing the material impact or “reasonably likely material impact” of the incident will be difficult and highly judgmental. Management and the board will need to evaluate the materiality of breaches in an environment in which information may be limited and the company’s understanding of the event may still be evolving. The company’s disclosure will attract the close attention of shareholders, the press, regulators, and the plaintiff’s bar.
Audit committees should, to the extent possible, prepare in advance to fulfil their role in meeting these challenges. For example, the audit committees should ask management to evaluate whether the company’s existing disclosure controls and procedures regarding cybersecurity incidents are consistent with the new Form 8-K requirements. It will be imperative that the IT staff immediately bring information about cybersecurity incidents to the attention of management with disclosure responsibility and of the audit committee and any other relevant board committees. Audit committees may also want to make sure that management and the board have identified and entered into arrangements with outside experts and advisors who specialize in evaluating cybersecurity incidents. Board training on cybersecurity, including incident response dry runs, could also be considered.
Audit committees may also want to review the impact of the new cybersecurity risk management disclosures. As noted in prior Updates, cybersecurity risk oversight is often assigned to the audit committee. See Slight Increases, Some Stagnation: CAQ and EY Report Cards on Audit Committee Transparency, November-December 2021 Update.) Accordingly, the requirement to describe board oversight of cybersecurity risk, including committees with cyber oversight responsibility, will frequently result in new disclosure about the work of the audit committee. Audit committees may therefore want to review their processes and consider whether any changes or enhancements are necessary.