New York, N.Y. (August 3, 2023) - The Securities and Exchange Commission ("SEC") recently adopted new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules ("Final Amendments") for publicly traded companies. From a cybersecurity reporting standpoint, these rules require public companies to: (1) report material cybersecurity incidents within four business days of discovery; and (2) annually disclose their cybersecurity risk management, strategy, and governance processes. The rules go into effect 30 days after being released in the Federal Register which typically occurs within 45 days after a rule is finalized.

What Is the Purpose of the SEC's Reporting Rules?

The SEC made it explicitly clear in its commentary that the intention of the Final Amendments is to protect investors from the financial impact of cybersecurity incidents. The SEC noted that the number and severity of cybersecurity incidents are on the rise, and that these incidents can have a significant impact on a company's financial performance. To that end, the Final Amendments serve to fill a gap in reporting where a cybersecurity incident may not otherwise be a reportable event (e.g., an event not resulting in the unauthorized access to/acquisition of personal information). For example, a ransomware or DDoS attack may not always require a notification to a company's employees, customers, or patients, but such attacks could still significantly affect a public company's operations and bottom line.

What Must a Public Company Do If It Experiences A Material Cybersecurity Incident?

The Final Amendments require that a public company submit a Form 8-K Item 1.05 disclosing any material cybersecurity incident. A cybersecurity incident is defined as "an unauthorized occurrence, or a series of related unauthorized occurrence, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a [public company's] information systems or any information residing therein." The term "information systems" includes both physical and virtual electronic information resources "owned or used" by the company. "Material" cybersecurity incidents are incidents that result in unauthorized access to, use of, disclosure of confidential information, destruction, loss or alteration of a Public Company's information systems or data or if the incident results in a significant disruption of the public company's business operations. However, determining whether a cybersecurity incident is "material" is a fact-specific inquiry and should be done without unreasonable delay.

The disclosure should disclose the following information:

  • The nature and scope of the incident
  • The timing of the incident
  • The impact of the incident on the company's operations and financial performance
  • The steps the company has taken to mitigate the impact of the incident

This disclosure must be made within four business days of determining that an incident was material.

What Must a Public Company Do to Satisfy Its Annual Disclosure Requirements?

The Final Amendments contain an addition to SEC Regulation S-K; namely Item 106(b)(1). Generally speaking, Regulation S-K provides standard instructions for filing forms under the Securities Act for qualitative disclosures of material developments, assets, and aspects of a company on registration statements and periodic reports.

Regulation S-K "Item 106(b)(1)" requires a description of a company's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes." This information is meant to assist investors in assessing a company's overall cybersecurity posture and to determine whether the company is taking appropriate steps to protect its data and systems.

All public companies are required to begin including an Item 106 of Regulation S-K disclosure beginning with annual reports for fiscal years ending on or after December 15, 2023.

Recommendations for Public Companies

The new SEC rules represent a significant change in the way that public companies are required to report cybersecurity incidents. Public companies should therefore take the following steps to prepare for compliance with the new rules:

  • Review your cybersecurity policies and procedures. These policies and procedures should be designed to identify, assess, and mitigate cybersecurity risks in general and specific to your company.
  • Develop an Incident Response Plan ("IRP"). Most regulators, including the SEC, find that having an IRP is a foundational part of cybersecurity risk mitigation. An IRP should include steps for notifying affected parties, containing the incident, and restoring your systems.
  • Test your IRP. As public companies are held to much higher standards, an IRP should be effective. Conduct facilitated breach simulations to test your IRP and keep updating it as needed. Make sure to document these updates as well.
  • Track your cybersecurity incidents. Keep a record of all cybersecurity incidents regardless of whether they are material through trusted breach counsel. This will not only assist in the annual disclosures but also with new data protection regulations that are forthcoming.

By taking these steps, public companies can work towards compliance with the new SEC rules and that they are taking appropriate steps to protect their data and systems.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.