SEC adopts final rules on cybersecurity risk management, strategy, governance and incident disclosure
On July 26, 2023, the Securities and Exchange Commission (the SEC) adopted the much anticipated final rules which will govern public companies’ cybersecurity disclosures and governance. Although the final rules largely track the proposed rules, including an obligation to report cybersecurity incidents on a current basis on Form 8-K, the final rules eliminate certain proposed disclosure requirements, including those that would have required (i) disclosure of the status of remediation efforts in current reports; (ii) inclusion of updates to past incidents in quarterly and annual reports; and (iii) disclosure of board level cybersecurity expertise. Additionally, certain of the disclosure requirements are less prescriptive than originally proposed.
The new rules at a glance
- The new rules apply to all issuers, regardless of reporting status, including smaller reporting companies (SRCs), emerging growth companies (EGCs) and foreign private issuers (FPIs).
- Compliance dates:
- Form 8-K and Form 6-K reporting obligation for disclosure of a material cybersecurity incident begins on December 18, 2023, or 90 days after publication of the rules in the Federal Register, whichever is later; SRCs will have an additional 180 days from the non-smaller reporting compliance date.
- Cybersecurity risk management, strategy and governance disclosures in Forms 10-K and Forms 20-F are required in annual reports for the first fiscal year ending on or after December 15, 2023, for all registrants.
- The new disclosures must be tagged in iXBRL, beginning one year after the initial compliance date for each respective disclosure.
- Current reporting on Form 8-K and Form 6-K:
- Disclosure of a cybersecurity incident under new Item 1.05 of Form 8-K will be triggered within four business days of the determination by the registrant that the incident is “material,” which determination must be made “without unreasonable delay.”
- If an 8-K filing is required, the registrant must disclose the material aspects of the nature, scope and timing of the incident, as well as its material impact (or reasonably likely material impact) on the registrant.
- If any information was unknown or unavailable at the time of the initial 8-K filing, an amended current report must be filed within four business days of such information becoming known or available.
- Untimely filing of an Item 1.05 Form 8-K will not impact a registrant’s Form S-3 eligibility.
- Item 1.05 disclosures will be covered by the limited safe-harbor from liability under Section 10(b) and Rule 10b-5 under the Securities Exchange Act of 1934, as amended.
- Form 6-K is being amended to require FPIs to furnish information on material cybersecurity incidents that they make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.
- Annual reporting on Form 10-K or Form 20-F of a registrant’s cybersecurity risk management and governance:
- Registrants are required to disclose their processes for assessing, identifying and managing material risks from cybersecurity threats, and whether any such risks have materially affected (or are reasonably likely to materially affect) the registrant.
- Also required is a description of the oversight role of the registrant’s board of directors as it relates to cybersecurity, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats.
- Disclosure under Item 106 of Regulation S-K will not be required for registration statements; however, registrants should consider the materiality of cybersecurity risks and incidents when preparing required disclosures in a registration statement.
- The final rules will not require disclosure of the name(s) of directors with cybersecurity expertise.
In-depth look at the final rules
New Item 1.05 of Form 8-K
- New Form 8-K trigger. As noted above, pursuant to the new Form 8-K disclosure requirement, registrants must disclose cybersecurity incidents within four business days of determining that a cybersecurity incident is material. The Form 8-K must describe the material aspects of the nature, scope, and timing of the incident, as well as its material impact (or reasonably likely material impact) on the registrant. In a notable departure from the proposed rules, the SEC did not adopt a requirement to disclose the status of remediation or whether data was compromised.
- A “cybersecurity Incident” is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
- New Item 1.05 provides for two limited exceptions for when disclosure can be delayed:
- Up to 30 days (with the possibility of further delays) if the United States Attorney General determines that disclosure would pose substantial risk to national security or public safety and notifies the SEC of such determination in writing; and
- No more than seven days after the registrant notifies the SEC through “Correspondence” submitted on EDGAR regarding compliance with the Federal Communication Commission’s notification requirements for breaches of customer proprietary network information (CPNI). It is worth noting that the SEC, with the exception of CPNI, did not find any conflict of laws concerns with other federal laws and regulations.
- New Form 8-K/A trigger. Instruction 2 to Item 1.05 will require registrants to file an amendment to the initial 8-K to provide any information that was undetermined or unavailable at the time of the initial 8-K filing. The Form 8-K/A must be filed within four business days of when the information is determined (without unreasonable delay) or becomes available.
- This is a departure from the proposed rules, which would have required quarterly and annual disclosures in Forms 10-Q and Form 10-K of any material changes and additions to the disclosure of a cybersecurity incident initially reported on Form 8-K. The change will require registrants to remain vigilant during the incident response to the determination or availability of previously undisclosed information and to file timely amended 8-K’s.
- The SEC did not expressly adopt a requirement to amend the initial 8-K filing if disclosure becomes inaccurate or materially misleading as a result of subsequent developments regarding the incident. However, the adopting release reminds registrants that they may nevertheless have a “duty to correct” information that was untrue when made (eg, contrary information existed at the time of the initial 8-K but was only discovered subsequently) or a “duty to update” information that becomes materially inaccurate after it is made (eg, subsequent events, which after the initial 8-K cause disclosure to become inaccurate).
Form 10-K disclosure
New Item 106 of Regulation S-K
Item 106(b) - risk management and strategy
Registrants will be required to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, and whether and how any such risks have materially affected or are reasonably likely to materially affect them, their business strategy, results of operations, or financial condition.
- The final rules define a "cybersecurity threat” as “any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
- The final rules do not require disclosure of “policies and procedures” for assessing, identifying and managing material risks, as previously proposed, but rather of a registrant’s “processes” for doing so. Regardless of whether a registrant has established such policies and procedures, it must ensure that it has in place a set of controls and procedures (including disclosure controls and procedures) to enable it to manage such material risks and properly document those controls to ensure consistency of approach throughout the enterprise.
- Potential disclosure items include, without limitation: the integration of such processes into the registrant’s overall risk management system, whether the registrant engages consultants, auditors or other third parties in connection with any processes, whether the registrant has processes to monitor and identify cybersecurity threats in connection with the use of third-party providers.
This new requirement encompasses disclosure about a registrant’s processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party services. While registrants may already have information security policies/procedures and an incident response plan, registrants also should consider evaluating the processes they currently have in place to govern third-party risks and escalation.
Item 106(c) - governance
Registrants will now have to describe the board’s oversight of material risks from cybersecurity threats and management’s role and expertise in assessing and managing such risks.
- In a change from the proposed rules, the new rules will not require disclosure of the name(s) of directors with cybersecurity expertise (including a description of the nature of their expertise) or require a registrant to disclose if it has a chief information security officer. However, in describing management’s role, the final rules include disclosure of the relevant expertise of members of management who are responsible for assessment and management of the risks. Examples of relevant expertise of management in Instruction 2 to Item 106(c) include prior work experience, relevant degrees or certificates, and any knowledge, skills or other background in cybersecurity.
- The new disclosure requirement related to the processes by which the board is informed about cybersecurity threats and the frequency of discussion on cybersecurity may necessitate the implementation of new communication processes and cadences.
- Registrants will be required to disclose how the board or board committee considers cybersecurity risks as part of the registrant’s business strategy, risk management and financial oversight. Registrants may need to re-assess their business processes, information systems resiliency and other relevant factors, such that boards and management are not relying on intuitive understandings of the registrant’s business and cybersecurity threats, but rather, undergo a proper assessment of the critical business functions to ensure that the board is properly fulfilling its cybersecurity oversight responsibilities.
- This disclosure is in “Part I” of the Form 10-K, so it cannot be deferred to the proxy statement.
Foreign private issuers (FPIs)
The final rules require FPIs to make comparable disclosures on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy and governance.
Form 6-K is being amended to require FPIs to furnish information on material cybersecurity incidents that they make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. The effective date for compliance is the same as for Form 8-Ks.
Form 20-F is being amended to require FPIs to make annual disclosure comparable to that summarized above for domestic filers on Form 10-K. The effective date for compliance is the same as for Form 10-Ks. The Inline XBRL tagging requirement also applies to FPIs on Forms 6-K and 20-F, with the same one-year phase-in period.
The new rules do not apply to filers under the Multi-Jurisdictional Disclosure System.
Practical considerations and key takeaways
With compliance for current reporting of material cybersecurity incidents beginning in the fourth calendar quarter of 2023, and annual reporting of risk management, strategy and governance for calendar year companies beginning with annual reports to be filed in early 2024, there are a number of potentially significant implications and challenges for public companies, including:
Registrants need to understand what constitutes a “cybersecurity incident”; determine whether cybersecurity incidents are “related” and whether unauthorized occurrences “jeopardize” a registrant’s systems and information. The scope of the definition of a cybersecurity incident is broad and ambiguous, and the SEC made clear that it is to be broadly construed. Registrants may consider whether current definitions considered in incident response and escalation policies and board and management reporting are aligned with the definition in the final rules.
The final rules replace the proposed concept of “aggregation” of individually immaterial incidents with the “series of related unauthorized occurrences” language in the final definition. The relation of occurrences may be difficult to assess, particularly if a threat actor is sophisticated. The requisite processes may not be included within a registrant’s existing incident response and escalation processes and/or policies, so registrants may wish to review their existing processes and/or policies to ensure compliance with the new requirement.
Additionally, there can be ambiguity as to when an occurrence materially “jeopardizes” the confidentiality, integrity or availability of a registrant’s information systems or information. Many registrants experience numerous cybersecurity incidents on a daily or near-daily basis. Materiality assessments of these incidents is typically rooted in an evaluation of the probability and magnitude of their harm, so whether the jeopardy created by an occurrence is material will vary across registrants and may necessitate difficult judgments and balancing of interests. Registrants may find it difficult, if not impossible, to prove compliance if the jeopardy of an incident is assessed to be immaterial, but later results in material harm.
Examples given in the adopting release involved occurrences in which actual harm may be delayed, but registrants would be able to assess the materiality before the harm occurs, and where the jeopardy caused by the incident materially affects the registrant, even if the incident has not yet caused actual harm. Registrants may be forced to make some tough judgement calls during their assessments of both whether an incident falls within the definition of cybersecurity incident and whether it is material.
Determining the materiality of a cybersecurity incident without unreasonable delay will be key to ensuring timely reporting on Form 8-K. In response to comments received, the SEC is requiring registrants to make materiality determinations “without unreasonable delay” as opposed to “as soon as reasonably practicable” to alleviate concerns that the proposed language would have required premature disclosures. However, the SEC cautioned registrants that they may not unreasonably delay their determinations in an effort to avoid timely disclosure. The adopting release notes that a registrant can demonstrate good faith compliance if it adheres to normal internal policies and disclosure controls and procedures.
- Materiality determinations are based on both quantitative and qualitative factors. Under the qualitative factors, assessing a registrant’s reputation, customer or vendor relationships or a registrant’s competitive position in the industry, may prove to be difficult when a cybersecurity incident occurs. The SEC also expects registrants to consider the possibility of litigation or regulatory investigations or actions, including by non-US authorities, as part of the materiality determination.
- Registrants may start developing criteria on how to assess the materiality of qualitative factors. Moreover, registrants should consider reviewing their internal controls and procedures (including disclosure controls and procedures) to ensure that they enable timely materiality determinations through proper documentation. The execution of such controls and procedures may be required throughout the duration and investigation of an incident.
Understanding the resiliency of their environment will assist registrants’ cybersecurity threat management and in identifying the fundamental business processes that, if compromised, could impact the registrant and the business in a material way.
Updating previously disclosed cybersecurity incidents on Form 8-K/A will require close and real-time communications across incident response teams. Information that was unknown or unavailable at the time of the initial 8-K filing will be required to be disclosed on an 8-K/A. Information availability during an incident response can be very fluid. Often, there are a number of internal and external parties involved with the incidence response process with numerous workstreams. Further, these investigations, particularly those involving a sophisticated threat actor, often involve proving, disproving and/or probability-weighting various hypothesis with limited or incomplete data. Determining when information is actually “available” could require difficult assessments, and in some cases, a degree of guesswork.
Nevertheless, registrants will continue to be subject to the “without unreasonable delay” standard and will only have four business days to file an 8-K/A once information becomes available. Making such determinations will require constant vigilance and significant coordination across incident response teams. Acknowledging the enormous pressure on registrants to address cybersecurity incidents across all impacted public and private stakeholders, registrants will also need to consider the new rules in their incident response staffing, workstreams and communications.
The new rules may translate into heightened enforcement risk. In light of the SEC’s heightened enforcement agenda, registrants are encouraged to re-evaluate their controls and procedures (including their disclosure controls and procedures) to ensure that they are designed to capture requisite information and provide for timely assessments, determinations and filings.
The SEC has brought a number of enforcement cases alleging that registrants had ineffective disclosure controls and procedures, for example, as a result of slow or insufficient escalation of cybersecurity incidents, and/or delayed public disclosure, and that registrants’ ultimate disclosures contained material omissions that made their public statements materially misleading. Registrants are cautioned that with the new rules, the SEC now has additional bases for bringing enforcement actions.
Assessing and managing third-party risk becomes more vital under the new disclosure regime. The adopting release emphasized that registrants should disclose information related to third-party systems, even though there is no explicit requirement that registrants conduct “additional inquiries” to comply with the new rules. However, in reality, registrants do not operate, and disclosure decisions are not made, in a vacuum and registrants should always weigh the risk of a material omission in their disclosure determinations. Many registrants rely on a large number of vendors, so mitigating the risk of a vendor incident by exercising effective vendor risk management and diligence is of greater importance. Of note, contractual obligations and other rights, such as state privacy laws, may allow for audits and related actions with third parties, and registrants may have to consider whether to exercise such rights in connection with an incident. Registrants should consider whether additional third-party vendor contractual provisions are necessary.
New annual disclosure of cybersecurity risk governance under the final rules cannot be deferred to the proxy statement. Many registrants have already disclosed in their proxy statements that cybersecurity oversight is a responsibility of the full board or one or more of its committees. Item 407(h) of Regulation S-K requires disclosure of board leadership structure and role in risk oversight, which is typically incorporated by reference to a registrant’s proxy statement disclosures. The SEC noted that the disclosures in registrants’ proxy statements and the new cybersecurity disclosures serve distinct purposes, as the new rules require detail of board oversight of specific cybersecurity risk, not risk oversight generally. Therefore, the new disclosures under Item 106 of Regulation S-K are included in Part I of Form 10-K and cannot be deferred to the proxy statement. The SEC noted that to the extent there is duplicative disclosure, the information may be incorporated by reference. Given investors’ increasing desire to have all relevant information in a single document, particularly when it comes to proxy disclosures, the incorporation by reference may not be widely used. Therefore, it will be important to ensure consistency between the 10-K and the proxy statement.
For more information on the final rules or how registrants can prepare for compliance, please contact any of the authors of this article or your DLA Piper relationship attorney.