On July 26, 2023, the Securities and Exchange Commission (SEC)
adopted final rules requiring public companies to disclose
material cybersecurity incidents and annually disclose details of
their cybersecurity risk management, strategy and governance. The
SEC’s new rules add a significant layer to the security
governance landscape of U.S. publicly traded companies,
representing a significant step toward standardizing disclosure of
corporate cybersecurity governance, incidents, and risk management
to investors and consumers.
Key Elements
The final rules introduce various requirements regarding
specific incidents as well as ongoing oversight, so as to provide a
clear framework for the disclosure of cybersecurity incidents and
governance:
- Material Cybersecurity Incidents Disclosure: Companies
are obligated to report any material cybersecurity incidents under
new Item 1.05 of Form 8-K within four business days following the
company’s determination of the incident’s materiality. This
mandates organizations to quickly assess the severity of any
cybersecurity breach and report it in a timely manner. - Annual Disclosure of Cybersecurity Risk Management and
Strategy: The new rules, reflected in Item 106 of Regulation
S-K, impacts annual disclosures and will require companies to
provide more detailed insight into their cybersecurity risk
management and strategy, including their processes for managing
cybersecurity threats, and whether these threats have had, or are
likely to have, material effects on the company. - Cybersecurity Governance: Companies are required to
provide further details in their annual reports about oversight of
cybersecurity risks by the board and management and how they are
managing these risks at different levels of their organizational
structure.
Similar disclosures will be required by foreign private
issuers.
Key Dates
- December 15, 2023: Companies must make the
disclosures required under Regulation S-K Item 106 (and comparable
requirements in Form 20-F) about cybersecurity beginning with
annual reports for fiscal years ending on or after this date. - December 18, 2023: SEC begins enforcement of
Form 8-K disclosure for cybersecurity incidents, other than smaller
reporting companies (SRCs). - June 15, 2024: SEC begins enforcement of
disclosure for cybersecurity incidents for SRCs.
These strict enforcement timelines may put pressure on companies
to review their current cybersecurity programs to protect against
any vulnerabilities public disclosure may expose, and to ensure
compliance with disclosure procedures.
Material Cybersecurity Incident Disclosure
The rule’s biggest impact is public companies will be
required to file a Form 8-K within four business days of
determining that a cybersecurity event is “material.” A
cybersecurity incident is “an unauthorized occurrence, or a
series of related unauthorized occurrences, on or conducted through
a [company]’s information systems or any information residing
therein.”
The key consideration here, as with many disclosure
considerations, is the company’s determination of when an event
reaches the “materiality” threshold – a subjective
and often difficult determination. Upon discovering a cybersecurity
incident, companies are now required to make a determination on
materiality “as soon as reasonably practicable” and
without “unreasonable delay.” Materiality is based on the
longstanding principle that there is a substantial likelihood an
investor would consider information about the incident to be
important in making an investment decision, or if it would
significantly alter the “total mix” of information made
available to the investing public. In making this determination,
companies must consider both qualitative as well as quantitative
factors, such as reputation, business relationships,
competitiveness, and the possibility of litigation or regulatory
action. The original proposing release included these examples of
possibly material incidents:
- Compromise of the confidentiality, integrity, or availability
of an information asset (data, system, or network); or violation of
the company’s security policies or procedures—whether
accidental or intentional; - Degradation, interruption, loss of control, damage to, or loss
of operational technology systems; - Unauthorized party accessed, or a party exceeded authorized
access, and altered, or stole sensitive business information,
personally identifiable information, intellectual property, or
information that resulted, or may result, in a loss or liability
for the company; - Malicious actor offered to sell or threatened to publicly
disclose sensitive company data; or - Malicious actor demanded payment to restore company data that
was stolen or altered.
The disclosure must “describe the material aspects of the
nature, scope, and timing of the incident, and the material impact
or reasonably likely material impact on the company, including its
financial condition and results of operations.” In an
Instruction, the SEC took into account the concerns expressed by
commentators that certain disclosures could give the malicious
actor a roadmap for further attacks, stating, “registrant need
not disclose specific or technical information about its planned
response to the incident or its cybersecurity systems, related
networks and devices, or potential system vulnerabilities in such
detail as would impede the registrant’s response or remediation
of the incident.” The final rule requires amended filings to
disclose additional or corrected information as learned about an
incident – which likely will be necessary given that an
incident’s scope and impact generally will stretch well beyond
the four-business day filing deadline.
A determination by the U.S. Attorney General that disclosure
would pose a substantial risk to national security or public safety
can provide a 30-day extension to the filing deadline.
Annual Disclosure of Cybersecurity Risk Management and
Strategy
New Item 106 of Regulation S-K requires companies to delineate
their processes for assessing, managing, and identifying material
cybersecurity threats in their Annual Reports on Form 10-K (or Form
20-F as applicable). This strategic move, aimed at replacing
“policies and procedures” with “processes,”
marks an important shift away from detailed operational specifics
that could potentially be weaponized by malicious cyber actors.
A cybersecurity threat is “any potential unauthorized
occurrence on or conducted through a [company]’s information
systems that may result in adverse effects on the confidentiality,
integrity or availability of a [company]’s information systems
or any information residing therein.”
As with the intention of real-time reporting of material
cybersecurity events, the annual disclosures should include details
of the following in addition to “whatever information
necessary” for a reasonable investor to understand the
company’s cybersecurity processes:
- Whether the processes are integrated into overall risk
management system or processes; - Whether the company engages assessors, consultants, auditors,
or other third parties in connection with any such processes;
and - Whether the company has processes to oversee and identify risks
from cybersecurity threats associated with its use of any
third-party service provider.
Companies must also describe whether any risks from
cybersecurity threats, including as a result of any previous
cybersecurity incidents, have materially affected or are reasonably
likely to materially affect the company, including its business
strategy, results of operations, or financial condition.
Cybersecurity Governance
A cornerstone of new Item 106 involves governance disclosure.
Companies must now outline the role their board of directors plays
in overseeing cybersecurity threats. This includes identifying any
board committee or subcommittee responsible for this oversight and
explaining how they are informed about these risks. Although the
requirement to disclose cybersecurity expertise within the board
has been omitted from the final rule, the SEC still encourages
companies to consider this if they deem it necessary for their
cyber-risk management.
Furthermore, the rule necessitates a description of the role of
management in assessing and mitigating material risks from
cybersecurity threats. This means companies should identify
specifically who is responsible for these tasks, their relevant
expertise, and the processes they use to stay informed and monitor
the prevention, detection, mitigation, and remediation of
cybersecurity incidents.
Companies will be required to describe in their Form 10-K the
board of directors’ oversight and awareness of risks from
cybersecurity threats and management’s role and relevant
expertise in assessing and managing material risks from
cybersecurity threats. “Relevant expertise” for purposes
of management’s disclosure may include prior cybersecurity work
experience, relevant certifications, and other cybersecurity
background. Importantly, the SEC did not adopt the proposed
requirement to disclose board cybersecurity expertise or
certifications.
Key Takeaways and Next Steps for Companies
The implications of this new rule are significant, and companies
should begin immediate planning and implementation to ensure
compliance.
Firstly, it is essential that companies review their
cybersecurity incident response playbooks, ensuring they align with
the processes outlined in the new Form 8-K requirements. As the
rule highlights, companies must not “unreasonably delay”
the materiality determination for a cybersecurity incident. This
underscores the need for clear communication channels between the
cybersecurity team, legal team, disclosure committee, and the board
of directors to facilitate effective and timely assessment and
escalation of detected cybersecurity incidents.
Moreover, companies should document both their materiality
analysis and the time taken to assess materiality. They also need
to review their processes for managing cybersecurity risk, in light
of the final rule’s emphasis on disclosing the company’s
risk management strategy and governance. Importantly, there are no
“standard” or “template” forms that will meet
the new reporting obligations. Companies will need to appropriately
tailor descriptions of the nature and possible impact of the
incident on Form 8-K as well as provide an accurate description of
cybersecurity processes, use of outside consultants, and assessment
of risks posed by third-party service providers in annual
reports.
Companies evaluating the potential impact of the adopted rules
should evaluate their existing cybersecurity plans, policies and
protocols, in light of the newly adopted four business-day deadline
to disclose material cybersecurity incidents and other enhanced
disclosure obligations. As part of their cybersecurity plans,
policies and protocols, companies should consider the process by
which they will determine the materiality of a cyber incident. This
will require having a top-down understanding of the company and the
role cybersecurity plays throughout the enterprise. It will also
require a direct, ongoing, and rapid communications process between
the incident response team and other relevant groups within a
company, including the legal department.
Legal Support
Drafting disclosures regarding material cybersecurity incidents
and a company’s risk management processes requires a careful
balance. Companies must meet their obligation to disclose material
information without unintentionally exposing weaknesses in their
cybersecurity posture that could be further exploited by malicious
cyber actors.
To comply with the terms of this requirement, publicly traded
companies should seek the assistance of experienced outside counsel
to:
- Review existing incident response procedures and make necessary
adjustments to comply with the requirements of the new Form 8-K.
This may include developing protocols for assessing and documenting
the materiality of a cybersecurity incident in a timely
manner. - Ensure disclosure controls and procedures are designed to
facilitate effective communication between the cybersecurity team,
the legal team, the disclosure committee, and the board of
directors. - Assist in carefully documenting materiality analysis and the
reasonableness of the time taken to assess materiality. This will
be critical under the new rules. - Advise on navigating the narrow exceptions for delaying the
reporting of material cybersecurity incidents, particularly the
requirement to obtain the Attorney General’s determination that
disclosure poses a substantial risk to national security or public
safety. - Assist in the assessment of current cybersecurity risk
management processes and align them with the details required to be
disclosed under the final rule. - Assist in drafting accurate, comprehensive, but carefully
worded disclosures that meet the requirements given the potential
for greater scrutiny and potential liability from public
disclosures. - Help align new cybersecurity disclosures with existing risk
factor and proxy statement disclosures to maintain consistency and
compliance.
With the December 2023 deadline fast approaching, companies
should take a proactive approach in organizing disclosures under
annual reports and be prepared for potential Form 8-K disclosures.
Buchanan has a team of committed professionals in its Securities Practice Group and Cybersecurity and Data Privacy Group ready to
assist registrants in evaluating their existing cybersecurity
framework so as to be prepared to meet their new disclosure
obligations.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.