United States: New SEC Cyber Rule Establishes Four-Day Reporting Window And New Annual Disclosures – Buchanan Ingersoll & Rooney PC

On July 26, 2023, the Securities and Exchange Commission (SEC)
adopted final rules requiring public companies to disclose
material cybersecurity incidents and annually disclose details of
their cybersecurity risk management, strategy and governance. The
SEC’s new rules add a significant layer to the security
governance landscape of U.S. publicly traded companies,
representing a significant step toward standardizing disclosure of
corporate cybersecurity governance, incidents, and risk management
to investors and consumers.

Key Elements

The final rules introduce various requirements regarding
specific incidents as well as ongoing oversight, so as to provide a
clear framework for the disclosure of cybersecurity incidents and

  • Material Cybersecurity Incidents Disclosure: Companies
    are obligated to report any material cybersecurity incidents under
    new Item 1.05 of Form 8-K within four business days following the
    company’s determination of the incident’s materiality. This
    mandates organizations to quickly assess the severity of any
    cybersecurity breach and report it in a timely manner.

  • Annual Disclosure of Cybersecurity Risk Management and
    : The new rules, reflected in Item 106 of Regulation
    S-K, impacts annual disclosures and will require companies to
    provide more detailed insight into their cybersecurity risk
    management and strategy, including their processes for managing
    cybersecurity threats, and whether these threats have had, or are
    likely to have, material effects on the company.

  • Cybersecurity Governance: Companies are required to
    provide further details in their annual reports about oversight of
    cybersecurity risks by the board and management and how they are
    managing these risks at different levels of their organizational

Similar disclosures will be required by foreign private

Key Dates

  • December 15, 2023: Companies must make the
    disclosures required under Regulation S-K Item 106 (and comparable
    requirements in Form 20-F) about cybersecurity beginning with
    annual reports for fiscal years ending on or after this date.

  • December 18, 2023: SEC begins enforcement of
    Form 8-K disclosure for cybersecurity incidents, other than smaller
    reporting companies (SRCs).

  • June 15, 2024: SEC begins enforcement of
    disclosure for cybersecurity incidents for SRCs.

These strict enforcement timelines may put pressure on companies
to review their current cybersecurity programs to protect against
any vulnerabilities public disclosure may expose, and to ensure
compliance with disclosure procedures.

Material Cybersecurity Incident Disclosure

The rule’s biggest impact is public companies will be
required to file a Form 8-K within four business days of
determining that a cybersecurity event is “material.” A
cybersecurity incident is “an unauthorized occurrence, or a
series of related unauthorized occurrences, on or conducted through
a [company]’s information systems or any information residing

The key consideration here, as with many disclosure
considerations, is the company’s determination of when an event
reaches the “materiality” threshold – a subjective
and often difficult determination. Upon discovering a cybersecurity
incident, companies are now required to make a determination on
materiality “as soon as reasonably practicable” and
without “unreasonable delay.” Materiality is based on the
longstanding principle that there is a substantial likelihood an
investor would consider information about the incident to be
important in making an investment decision, or if it would
significantly alter the “total mix” of information made
available to the investing public. In making this determination,
companies must consider both qualitative as well as quantitative
factors, such as reputation, business relationships,
competitiveness, and the possibility of litigation or regulatory
action. The original proposing release included these examples of
possibly material incidents:

  • Compromise of the confidentiality, integrity, or availability
    of an information asset (data, system, or network); or violation of
    the company’s security policies or procedures—whether
    accidental or intentional;

  • Degradation, interruption, loss of control, damage to, or loss
    of operational technology systems;

  • Unauthorized party accessed, or a party exceeded authorized
    access, and altered, or stole sensitive business information,
    personally identifiable information, intellectual property, or
    information that resulted, or may result, in a loss or liability
    for the company;

  • Malicious actor offered to sell or threatened to publicly
    disclose sensitive company data; or

  • Malicious actor demanded payment to restore company data that
    was stolen or altered.

The disclosure must “describe the material aspects of the
nature, scope, and timing of the incident, and the material impact
or reasonably likely material impact on the company, including its
financial condition and results of operations.” In an
Instruction, the SEC took into account the concerns expressed by
commentators that certain disclosures could give the malicious
actor a roadmap for further attacks, stating, “registrant need
not disclose specific or technical information about its planned
response to the incident or its cybersecurity systems, related
networks and devices, or potential system vulnerabilities in such
detail as would impede the registrant’s response or remediation
of the incident.” The final rule requires amended filings to
disclose additional or corrected information as learned about an
incident – which likely will be necessary given that an
incident’s scope and impact generally will stretch well beyond
the four-business day filing deadline.

A determination by the U.S. Attorney General that disclosure
would pose a substantial risk to national security or public safety
can provide a 30-day extension to the filing deadline.

Annual Disclosure of Cybersecurity Risk Management and

New Item 106 of Regulation S-K requires companies to delineate
their processes for assessing, managing, and identifying material
cybersecurity threats in their Annual Reports on Form 10-K (or Form
20-F as applicable). This strategic move, aimed at replacing
“policies and procedures” with “processes,”
marks an important shift away from detailed operational specifics
that could potentially be weaponized by malicious cyber actors.

A cybersecurity threat is “any potential unauthorized
occurrence on or conducted through a [company]’s information
systems that may result in adverse effects on the confidentiality,
integrity or availability of a [company]’s information systems
or any information residing therein.”

As with the intention of real-time reporting of material
cybersecurity events, the annual disclosures should include details
of the following in addition to “whatever information
necessary” for a reasonable investor to understand the
company’s cybersecurity processes:

  • Whether the processes are integrated into overall risk
    management system or processes;

  • Whether the company engages assessors, consultants, auditors,
    or other third parties in connection with any such processes;

  • Whether the company has processes to oversee and identify risks
    from cybersecurity threats associated with its use of any
    third-party service provider.

Companies must also describe whether any risks from
cybersecurity threats, including as a result of any previous
cybersecurity incidents, have materially affected or are reasonably
likely to materially affect the company, including its business
strategy, results of operations, or financial condition.

Cybersecurity Governance

A cornerstone of new Item 106 involves governance disclosure.
Companies must now outline the role their board of directors plays
in overseeing cybersecurity threats. This includes identifying any
board committee or subcommittee responsible for this oversight and
explaining how they are informed about these risks. Although the
requirement to disclose cybersecurity expertise within the board
has been omitted from the final rule, the SEC still encourages
companies to consider this if they deem it necessary for their
cyber-risk management.

Furthermore, the rule necessitates a description of the role of
management in assessing and mitigating material risks from
cybersecurity threats. This means companies should identify
specifically who is responsible for these tasks, their relevant
expertise, and the processes they use to stay informed and monitor
the prevention, detection, mitigation, and remediation of
cybersecurity incidents.

Companies will be required to describe in their Form 10-K the
board of directors’ oversight and awareness of risks from
cybersecurity threats and management’s role and relevant
expertise in assessing and managing material risks from
cybersecurity threats. “Relevant expertise” for purposes
of management’s disclosure may include prior cybersecurity work
experience, relevant certifications, and other cybersecurity
background. Importantly, the SEC did not adopt the proposed
requirement to disclose board cybersecurity expertise or

Key Takeaways and Next Steps for Companies

The implications of this new rule are significant, and companies
should begin immediate planning and implementation to ensure

Firstly, it is essential that companies review their
cybersecurity incident response playbooks, ensuring they align with
the processes outlined in the new Form 8-K requirements. As the
rule highlights, companies must not “unreasonably delay”
the materiality determination for a cybersecurity incident. This
underscores the need for clear communication channels between the
cybersecurity team, legal team, disclosure committee, and the board
of directors to facilitate effective and timely assessment and
escalation of detected cybersecurity incidents.

Moreover, companies should document both their materiality
analysis and the time taken to assess materiality. They also need
to review their processes for managing cybersecurity risk, in light
of the final rule’s emphasis on disclosing the company’s
risk management strategy and governance. Importantly, there are no
“standard” or “template” forms that will meet
the new reporting obligations. Companies will need to appropriately
tailor descriptions of the nature and possible impact of the
incident on Form 8-K as well as provide an accurate description of
cybersecurity processes, use of outside consultants, and assessment
of risks posed by third-party service providers in annual

Companies evaluating the potential impact of the adopted rules
should evaluate their existing cybersecurity plans, policies and
protocols, in light of the newly adopted four business-day deadline
to disclose material cybersecurity incidents and other enhanced
disclosure obligations. As part of their cybersecurity plans,
policies and protocols, companies should consider the process by
which they will determine the materiality of a cyber incident. This
will require having a top-down understanding of the company and the
role cybersecurity plays throughout the enterprise. It will also
require a direct, ongoing, and rapid communications process between
the incident response team and other relevant groups within a
company, including the legal department.

Legal Support

Drafting disclosures regarding material cybersecurity incidents
and a company’s risk management processes requires a careful
balance. Companies must meet their obligation to disclose material
information without unintentionally exposing weaknesses in their
cybersecurity posture that could be further exploited by malicious
cyber actors.

To comply with the terms of this requirement, publicly traded
companies should seek the assistance of experienced outside counsel

  • Review existing incident response procedures and make necessary
    adjustments to comply with the requirements of the new Form 8-K.
    This may include developing protocols for assessing and documenting
    the materiality of a cybersecurity incident in a timely

  • Ensure disclosure controls and procedures are designed to
    facilitate effective communication between the cybersecurity team,
    the legal team, the disclosure committee, and the board of

  • Assist in carefully documenting materiality analysis and the
    reasonableness of the time taken to assess materiality. This will
    be critical under the new rules.

  • Advise on navigating the narrow exceptions for delaying the
    reporting of material cybersecurity incidents, particularly the
    requirement to obtain the Attorney General’s determination that
    disclosure poses a substantial risk to national security or public

  • Assist in the assessment of current cybersecurity risk
    management processes and align them with the details required to be
    disclosed under the final rule.

  • Assist in drafting accurate, comprehensive, but carefully
    worded disclosures that meet the requirements given the potential
    for greater scrutiny and potential liability from public

  • Help align new cybersecurity disclosures with existing risk
    factor and proxy statement disclosures to maintain consistency and

With the December 2023 deadline fast approaching, companies
should take a proactive approach in organizing disclosures under
annual reports and be prepared for potential Form 8-K disclosures.
Buchanan has a team of committed professionals in its Securities Practice Group and Cybersecurity and Data Privacy Group ready to
assist registrants in evaluating their existing cybersecurity
framework so as to be prepared to meet their new disclosure

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Leave a Comment