Updates to Form 10-K for fiscal year 2023: Early filer cybersecurity disclosure trends
The Securities and Exchange Commission’s final rules on cybersecurity risk management, strategy, governance, and incident disclosure, released in July 2023, contain new disclosure requirements which take effect with the first annual reports for fiscal years ending on or after December 15, 2023. This alert discusses general considerations for the Annual Report on Form 10-K and early filer trends related to these new requirements.
Under the new cybersecurity rules, public companies must describe in Part I, Item 1C of Form 10-K the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. The disclosure should be in sufficient detail to enable a reasonable investor to comprehend the processes involved.
Additional cybersecurity-related items calendar year-end registrants should address in their Form 10-K for fiscal year 2023 include, but are not limited to:
- Whether and how any disclosed processes have been integrated into the company’s overall risk management system or processes and whether any such risks have materially affected (or are reasonably likely to materially affect) the registrant
- A description of the oversight role of the board of directors as it relates to cybersecurity, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats
- How the board or applicable board committee considers cybersecurity risks as part of the registrant’s business strategy, risk management and financial oversight.
For a detailed summary of the new cybersecurity disclosure requirements, see our prior DLA Piper Alert.
For guidance on cybersecurity governance, disclosure controls and procedures, and other cybersecurity matters, please see the following:
- Our white paper “Putting governance and risk in context and reducing personal liability for the cyber and privacy professional”
- Our Privacy Matters blog, and in particular our post “New SEC cyber rules – a deep dive into cybersecurity processes to support accurate and complete disclosures”
Early Filer trends
The first wave of registrants complying with the SEC’s new cybersecurity rule have begun filing Form 10-Ks with new Item 1C. As of February 8, 2024, 111 companies have filed, 87 of which are Russell 3000 companies.
A recent study by DLA Piper Corporate Data Analytics of Item 1C disclosures filed by Russell 3000 companies as of January 31, 2024 found:
- 85 percent of registrants disclosed that the company has a Chief Information Security Officer (CISO) or other role responsible for information security.
- 62 percent of registrants disclosed a CISO or similar role focused solely on information security.
- 23 percent disclosed a Vice President, Chief Technology Officer, or other employee with responsibility over information security and other technology-related matters.
- 69 percent of registrants discussed conducting employee training regarding cybersecurity as well as conducting internal tests or simulations.
- While no registrants discussed a specific cyber incident in Item 1C disclosures, 69 percent discussed past breaches generally and 62 percent discussed past threats generally.
In addition to the registrants who have disclosed new Item 1C, some registrants with fiscal year ends prior to December 15, 2023 have been voluntarily including cybersecurity-related disclosures in their recently filed Form 10-Ks. Generally, such registrants have included information related to individuals who manage the registrant’s security program and who provide periodic reports to the board of directors, CEO, and other senior management.
For example, filers in the technology sector have disclosed that:
- IT teams regularly monitor and generate reports regarding cyber risks and threats, the status of projects to strengthen information security systems, assessments of information security programs, the emerging threat landscape, and related matters
- Such cybersecurity-related reports are provided to the Chief Information Security Officer
- Overall cyber programs are regularly evaluated by internal and external experts
- The company conducts engagement with key vendors, industry participants, and intelligence and law enforcement communities as part of continuing efforts to evaluate and enhance the effectiveness of its information security policies and procedures
- The company maintains internal procedures, such as establishing a confidentiality framework, adhering to document management regulations, and all-employee confidentiality agreement requirements
Risk factors
In addition to new Item 106(b) requiring disclosure of a registrant’s cybersecurity risk management and strategy and new Item 106(c) requiring disclosure of a registrant’s cybersecurity governance, registrants should consider whether they are aware of any risks from cybersecurity threats that are reasonably likely to materially affect the registrant, its business strategy, results of operations or financial condition, and, if so, how.
A recent study by DLA Piper Corporate Data Analytics of Form 10-Ks filed by Russell 3000 companies from August 1, 2023 to January 31, 2024 (Early Filers) found that the vast majority of these Early Filers – 91 percent – referenced cybersecurity in their risk factors. The below chart details the prevalence of some common elements of these risk factors.
|
Type of risk |
Percentage of Early Filers discussing risk |
|
Risks related to a specific cybersecurity incident |
16%
|
|
Company experiences frequent, ongoing and/or increasing number of cyber attacks |
17% |
|
Mentions specific risk of supply chain or third-party attacks |
17% |
|
Mentions general risk of supply chain or third-party attacks |
85% |
Please see our DLA Piper alert for recent trends in other risk factors for fiscal year 2023 Form 10-Ks.
Crafting disclosures with litigation in mind
Due to the nebulous interpretation of what may be deemed “material,” public companies should anticipate amplified scrutiny from the SEC regarding when and how a company determines that it experienced a material cybersecurity incident. Companies should brace for a heightened possibility of investigations, allegations of fraud, and litigation surrounding management’s level of expertise, insider trading, and the status of a company’s cyber policies.
Using a methodical process and maintaining a detailed account of what information was known and considered by the company will be crucial. Given the complexities and pressure surrounding these issues, companies should consider reviewing their internal controls, educating employees, the board and management on their responsibilities, and ensure accurate disclosure in anticipation of potential scrutiny, regulatory enforcement actions and litigation related to cybersecurity.
Considerations for Form 10-K drafting
The new rules require cybersecurity disclosures to appear in a newly designated item, Item 1C, in Part I of the annual report on Form 10-K and do not allow the disclosures to be incorporated from the proxy statement.
As registrants reevaluate their risk factors and other disclosures when drafting new discussions on cybersecurity risk management, strategy, and oversight, it is important to consider an appropriate alignment with previous public statements relating to cybersecurity management and procedures, including those made in prior proxy statements or prior disclosure regarding specific incidents, with the new required disclosures.
Additionally, consideration should be given to how these disclosures may be amended or enhanced moving forward. Proactive management of cybersecurity risks and disclosure controls and procedures assist in ensuring that such activities are consistently and accurately reported to shareholders.
Return to our full set of alerts on key considerations for the fiscal year 2023 annual reporting season. For more information on the final rules or how registrants can prepare for compliance, please contact any of the authors of this article or your DLA Piper relationship attorney.
