On July 26, 2023, the SEC finalized long-awaited disclosure rules (the "Final Rules") regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions.
The top five takeaways are:
- Disclosure of Cybersecurity Incidents within 4 Days of
Materiality Determination. Public companies must now
disclose in their Form 8-K Item 1.05 filings "any
cybersecurity incident that they experience that is determined to
be material" and describe "material aspects" of the
reported incident, including a description of its nature, scope,
timing, and impact on the company, within four business
days of determining a cybersecurity incident is
material.
Recognizing that a materiality determination necessitates an informed and deliberate process, the Final Rules do, however, impose that such a determination needs to be done "without unreasonable delay." Such materiality analysis should be "consistent with the standard set out in the cases addressing materiality in the securities laws, that information is material if 'there is a substantial likelihood that a reasonable shareholder would consider it important' in making an investment decision, or if it would have 'significantly altered the 'total mix' of information made available.'" See Final Rules at 80.
Per the SEC, "adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance." See Final Rules at 38. Thus, public company officers and directors should assess existing disclosure controls and procedures to ensure information about cybersecurity incidents are properly escalated, as appropriate, to management, the board, and any board committees with oversight of cybersecurity, and to ensure they are capturing what the Final Rules require. Companies should ensure they have appropriate internal and outside experts and advisors to assist in making a materiality determination regarding a particular cybersecurity incident.
- Board Expertise Requirement Removed. Following
substantial comments, the SEC declined to adopt in the Final Rules
a proposed requirement for disclosure of cybersecurity expertise,
if any, for a company's board of directors. See Final
Rule at 81. Among the comments opposing this proposed requirement
were those noting a shortage of cybersecurity expertise in the
marketplace, which would make this requirement difficult to
fulfill. Final Rules at 83.
However, pursuant to Regulation S-K Item 106(b), public companies must now describe annually in their Form 10-K the board's oversight of risks arising from cybersecurity threats, as well as management's role in assessing and managing such material risks. See Final Rule at 171. Accordingly, public companies would be well advised to consider retaining outside experts, including cybersecurity counsel, to help train directors in cybersecurity matters, including on incident response, with periodic refresher trainings, to ensure appropriate oversight of cybersecurity risks and developments. And while the SEC did not adopt the board expertise disclosure requirement, the Final Rules now require disclosure of the cybersecurity expertise for those members of management responsible for assessing and managing cybersecurity risks. Id.
- Companies Must Disclose "Processes," But No
Requirement to Disclose Cybersecurity Procedures. Pursuant
to Item 106(b) of Regulation S-K, public companies must now
describe annually in their Form 10-K their processes, if any, for
"assessing, identifying, and managing material risks from
cybersecurity threats in sufficient detail for a reasonable
investor to understand those processes" and must also describe
if the risks "have materially affected or are reasonably
likely to materially affect" the company, "including its
business strategy, results of operations, or financial condition
and if so, how." See Final Rules at 170–71. The
SEC declined to adopt a requirement in the Proposed Rules mandating
the disclosure of cybersecurity "policies and
procedures," thereby avoiding potential public disclosure of
information that threat actors could then leverage to attack
companies' cybersecurity defenses.
On this point, SEC Commissioner Hester Peirce voiced concern that compliance with the Final Rules could increase the future risk of cyberattacks on companies. Commissioner Peirce pointed out that the "strategy and governance disclosures risk handing [cyber criminals] a roadmap on which companies to target and how to attack them." She argued that compliance with the Final Rules could do more harm than good because maintaining compliance with the Final Rules, while at the same time describing cyberattacks without revealing incident response procedures, security controls, or being too descriptive about a company's network architecture, may be a difficult balance to maintain. - National Security Delay Exception Carries the
Day. The Final Rules provide a national security exception
to the timing of a Form 8-K disclosure of a material cybersecurity
incident. Specifically, if the U.S. Attorney General determines
that such a disclosure "poses a substantial risk to national
security or public safety," companies may delay providing the
Form 8-K disclosure until such period determined by the Attorney
General, up to 30 days, which can be extended for additional 30
days if the Attorney General determines that disclosure would pose
continuing risk. See Final Rules at 184. This disclosure
can be further delayed by the Attorney General in
"extraordinary circumstances." This national security
delay exception appears to be in response to comments about how a
delayed disclosure when there is an ongoing law enforcement
investigation may not only facilitate the investigation but may be
key to its success. See Final Rules at 22-23.
- Private Companies. Although the SEC's Final Rules apply only to companies with securities registered with the SEC, the concepts captured by the Final Rules may be helpful for all companies, particularly when it comes to board oversight, management's cybersecurity expertise, a company's understanding of cybersecurity risks, and incident response. Moreover, as private companies consider strategic exits, including potential public offerings, the SEC's Final Rules may be considered as part of IPO readiness.
Effective Dates
With certain exceptions, the Final Rules will become effective 30 days after the date of publication in the Federal Register. For companies that file their Form 10-K or Form 20-F annual reports on or after December 15, 2023, those filings must comply with Final Rules. For registrants other than smaller reporting companies, Form 8-K disclosures (in which material cybersecurity incident-based reporting must be made) and Form 6-K disclosures (for foreign private issuers who disclose material cybersecurity incidents in a foreign jurisdiction, to any stock exchange, or to security holders) will be required beginning December 18, 2023 or 90 days after the date of publication of the Final Rules in the Federal Register, whichever is later. Smaller reporting companies will have an extra 180 days to comply.
Conclusion
The SEC's publication of these cybersecurity rules is yet another data point demonstrating that the U.S. government's focus on cybersecurity regulation and enforcement is trending toward increased accountability, with an increasingly "stick"-like approach.
Public companies, officers, directors, and chief information security officers would need to assess existing cybersecurity and disclosure controls and procedures, and work with cybersecurity and disclosure counsel to prepare for this new reporting and disclosure regime.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.