The SEC recently adopted final rules relating to the disclosure of cybersecurity-related information by public companies. The rules (link here), slated to take effect later this year, establish requirements for prompt disclosure of material cybersecurity incidents and disclosure of cybersecurity strategy, risk management, and oversight by both the board and management in a company’s annual report. It should be noted that the rules represent a substantial retreat from the proposed rules which were published in March of this year and were passed by a bare minimum vote of 3-2 by the Commission. In summary, all public companies must:
- Report material cybersecurity incidents on Form 8-K (smaller reporting companies may take advantage of an extension until September 23, 2024).
- Comply with annual disclosure requirements on Form 10-K to describe management’s role in assessing and managing risks from cybersecurity threats and the board of directors’ role in oversight of those risks.
New Item 1.05 of Form 8-K requires a company to disclose a material cybersecurity incident within four days after it determines that a material cybersecurity incident has occurred.
What is a cybersecurity incident? For Item 1.05, the SEC adopted the definition of cybersecurity incident used in Regulation S-K. “Cybersecurity incident” is defined to mean an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein. “Information systems” is defined to mean electronic information resources, owned, or used by the company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the company’s information to maintain or support the company’s operations. Note that the company need not own the system that has suffered the incident.
How is materiality determined? The adopting release states that the analysis of materiality is the same as for other SEC disclosures which requires that the company take into account both qualitative and quantitative analyses. Further, all determinations of materiality must be made “without unreasonable delay.” This is an acknowledgement that the determination of materiality may take some time and that rushing to conclusion could have adverse effects.
What disclosure is required? In the event that disclosure is triggered, the company must describe:
- the material aspects of the nature, scope, and timing of the incident; and
- the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
An instruction to new Item 1.05 clarifies that companies do not need to disclose specifics about the company’s planned response in such detail as would impede the company’s remediation of the incident.
Delays for National Security and Public Safety.
A company may delay disclosure for up to 30 days if the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety. A company may seek an extension for up to an additional 90 days depending on certain facts and circumstances.
Companies subject to the Federal Communications Commission’s (FCC) notification rule for breaches of customer proprietary network information (CPNI) may delay Form 8-K disclosure up to seven business days following notification to the U.S. Secret Service and the Federal Bureau of Investigation.
Risk Management, Strategy, and Governance Disclosure in Periodic Reports
New Item 106(b) of Regulation S-K requires companies to describe their policies and procedures (if any — it is not required to have them) for assessing, identifying, and managing cybersecurity threats in a level of detail that allows a reasonable investor to understand such policies and procedures. Rule 106(b) contains the following non-exhaustive list of disclosure items:
- Whether a company has a cybersecurity risk assessment program and, if so, a description of the program.
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes.
- Whether the company has policies and procedures to oversee, identify, and mitigate cybersecurity risks associated with its use of third-party service providers.
Similar to the Form 8-K disclosure, a company must also disclose the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
New Item 106(c) of Regulation S-K requires disclosure of:
- Board Oversight. The board’s oversight of risks from cybersecurity threats and, if applicable:
- any board committee or subcommittee responsible for such oversight.
- the processes by which the board or board committee is informed about such risks.
- Management’s Role. Management’s role in assessing and managing the company’s material risks. Item 106(c) includes the following non-exhaustive list of possible disclosures:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise.
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents.
- Whether such persons or committees report information about such risks to the board of directors or a board committee or subcommittee.
Form 8-K. Companies must begin complying starting on December 18, 2023 (smaller reporting companies have an additional 180 days to begin complying).
Periodic Reporting. Companies must include the disclosures on risk management, strategy, and governance in annual reports for fiscal years ending on or after December 15, 2023.
What to Do Now
Assess and Test Current Procedures. Companies should assess and test existing procedures for responding to cybersecurity incidents and amend or otherwise implement changes in order to be prepared to include the new disclosures in their upcoming Annual Reports on Form 10-K.
Consider creating a Cyber Committee of the Board. There are now practical obligations to oversee a company’s cybersecurity risk. Consider creating a separate committee of the Board – with its own charter – to be responsible for administering the oversight. That would have the benefit of identifying a specific arm of the company to be responsible and would also likely resonate with stakeholders and institutional shareholders in that it demonstrates that the company is taking its obligations seriously.
This client alert was prepared by: