On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) approved final rules requiring that public companies report material cybersecurity incidents as well as disclose their cybersecurity risk management, strategy, and governance. In adopting the final rules, the SEC noted that disclosure practices under existing guidance¹ varied and that trends related to the economy’s dependence on electronic systems and the increasing prevalence of cyber incidents, as well as increasing costs and consequences of incidents, underpin investors’ and other market participants’ need for more timely, reliable, and comparable information. The final rules will be effective 30 days after publication in the Federal Register, with a transition period for compliance (as described below). This client alert summarizes the final rules and provides guidance about what companies should be doing now to get ready.

The Final Rules at a Glance

Disclosure of Material Cybersecurity Incidents

The final rules amend Form 8-K to add new Item 1.05, which requires disclosure of material cybersecurity incidents within four business days after the company determines the incident to be material.

Disclosure Required Under Item 1.05

The disclosure required under new Item 1.05 is narrower than in the proposed rules. Among other things, the final rules do not require disclosure of whether the incident is ongoing, whether data were compromised, or the status of a company’s remediation efforts. The final rules are focused “primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself.” Specifically, the final rules require:

• a description of the material aspects of the nature, scope, and timing of the incident, and
• a description of the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.

Instruction 4 to Item 1.05 specifies that the rule does not require disclosure of “specific or technical information about [a company’s] planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

Finally, while only “financial condition” and “results of operations” are listed in terms of the “material impacts” contemplated by Item 1.05, the adopting release emphasized the SEC’s view that “companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident[,]” and noted that such factors could include, for example, “harm to a company’s reputation, customer or vendor relationships, or competitiveness” or “the possibility or litigation or regulatory investigations or actions[.]”

Materiality Determinations and Filing Deadlines; Amendments to Form 8-K

Instruction 1 to Item 1.05 specifies that a company’s “materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident.” This requirement is significant, but less demanding than the formulation under the proposed rules of “as soon as reasonably practicable after discovery of the incident.”

In adopting this formulation, the SEC stated that “though the determination need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure.” To further highlight this point, the SEC provided examples that may constitute an unreasonable delay. For example, if a board committee will make the materiality determination, intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute unreasonable delay. As another example, the SEC noted that it would constitute an unreasonable delay “if a company were to revise existing incident response policies and procedures in order to support a delayed materiality determination for a delayed disclosure of an ongoing cybersecurity event, such as by extending the incident severity assessment deadlines, changing the criteria that would require reporting an incident to management or committees with responsibility for public disclosures, or introducing other steps to delay the determination or disclosure[.]”

The report of a material cybersecurity incident under Item 1.05 must be filed within four business days from the date of the determination of materiality. Understanding that companies may not have all relevant information required to be disclosed under Item 1.05 at the time the disclosure is required, the final rules add new Instruction 2 to Item 1.05 of Form 8-K. In cases where certain information required under Item 1.05 is not determined or is unavailable at the time of the original Form 8-K filing, Instruction 2 directs companies to include a statement in the original filing to that effect and to then file an amendment to the original Form 8-K filing under Item 1.05 containing such information within four business days after the company, without unreasonable delay, determines such information or after such information becomes available, as applicable. Unlike the proposed rules, the final rules require an amendment to the Form 8-K rather than updates in periodic filings, and the final rules “do not require updated reporting for all new information.” Rather, the final rules only require updating for information that is required to be disclosed under Item 1.05 of Form 8-K and is not yet determined or is not available at the time of the original filing.

Definition of Materiality

Consistent with other disclosure requirements under the securities laws, the determination as to whether a cybersecurity incident is reportable on Form 8-K depends on whether it is material. The definition of materiality is based on case law and is the same as it is for other securities law purposes; that is, “[i]nformation is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment, or if it would have ‘significantly altered the ‘total mix’ of information made available.’”²

Form S-3 Eligibility and Safe Harbor from Liability

Consistent the proposed rules, the final rules provide that a failure to timely file an Item 1.05 Form 8-K will not result in a company’s loss of Form S-3 eligibility. In addition, the final rules include new Item 1.05 as one of the items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b5-1 under the Securities Exchange Act of 1934 (Exchange Act), i.e., a failure to file Form 8-K that is required solely by Item 1.05 will not “be deemed a violation” of Section 10(b) or Rule 10b5-1 under the Exchange Act.

Effect of Ongoing Investigations; Limited Permissible Delays in Reporting

New Item 1.05 does not allow for a delay in reporting a material cybersecurity incident in the case of an ongoing internal or external investigation, including law enforcement investigations, subject to two limited exceptions. This is the case even if state law permits the company to delay providing public notice about the incident.

In a change from the proposed rules, the final rules allow for a delay in filing an Item 1.05 Form 8-K if disclosure poses a substantial risk to national security or public safety. A company could delay filing if:

• The U.S. Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The Attorney General would determine the time period of the delay, which could be up to 30 days following the date disclosure is otherwise required to be made under Item 1.05.
• The delay may be extended in the following circumstances:
  • for an additional period of up to 30 days if disclosure continues to pose a substantial risk to national security or public safety, and
  • in extraordinary circumstances, for an additional period of up to 60 days (for a total of 120 days), if disclosure continues to pose a substantial risk to national security.

In each case of an initial delay or an extension, the U.S. Attorney General would make the determination that disclosure poses a substantial risk to national security or public safety and notify the SEC. If the U.S. Attorney General determines that any additional delay is necessary beyond the up to 120 days contemplated in the provision, the SEC will consider such requests and may grant relief through an exemptive order.³

Given the communications that would be required between the U.S. Attorney General and the SEC, the SEC stated that it has “consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the Commission in a timely manner. The Department of Justice will notify the affected registrant that communication to the Commission has been made, so that the registrant may delay filing its Form 8-K.”

In addition, while the SEC discusses a variety of breach notification laws in the adopting release, it noted that it had identified only one conflict with its final rules—the Federal Communications Commission’s (FCC’s) notification rule for breaches of customer proprietary network information. For those public companies subject to this FCC rule, the SEC added new Item 1.05(d), which allows those companies to delay their Form 8-K filing for up to seven business days following notification to the U.S. Secret Service and the Federal Bureau of Investigation, so long as the company notifies the SEC in correspondence submitted via EDGAR no later than the date when the disclosure would otherwise be required under Item 1.05. 

Aggregated Immaterial Incidents That Become Material; Definition of “Cybersecurity Incident”

The proposed rules would have required a company to disclose in its periodic filings a series of previously undisclosed and individually immaterial cybersecurity incidents once they become material in the aggregate. The final rules did not include that requirement. However, the final rules broaden the definition of “cybersecurity incident” to include “a series of related unauthorized occurrences.” The complete definition now reads as follows: “cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

Accordingly, for purposes of current reporting of material cybersecurity incidents, the SEC stated that “when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial.”

Disclosure of Risk Management, Strategy, and Governance Regarding Cybersecurity Risks

The final rules require annual disclosure of information relating to cybersecurity risk management and strategy, and cybersecurity governance, in Forms 10-K.⁴ These disclosures requirements are included in new Item 106 of Reg. S-K.

Cybersecurity Risk Management and Strategy

New Item 106(b) of Reg. S-K requires a description of the company’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. This disclosure should include, as applicable, the following nonexclusive list of disclosure items:

• whether and how any such processes have been integrated into the company’s overall risk management system or processes;
• whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes (however, disclosure of names of these third parties, or a description of the services provided by these third parties, is not required); and
• whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

In addition, the disclosure should include a discussion of whether any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and, if so, how. In a change from the proposed rules, the SEC added a materiality qualifier to this requirement in the final rules.

In another change from the proposed rules, the final rules focus on processes rather than policies and procedures and narrow the disclosure requirements in an effort to avoid requiring disclosure of operational details that could be used by threat actors and address concerns about the materiality to investors of such detailed information. The SEC indicated it still expects disclosures sufficient to enable investors to ascertain a company’s cybersecurity practices and to understand the company’s cybersecurity risk profile.

Cybersecurity Governance

Board of Directors. New item 106(c)(1) of Reg. S-K requires a description of the board’s oversight of risks from cybersecurity threats. This description should include, as applicable: 1) identification of any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats; and 2) a description of the processes by which the board or such committee is informed about such risks.

While the final rules are narrower than the proposed rules (for example, the final rules do not require a discussion of the frequency of the board’s discussion on cybersecurity risks), the SEC states that “depending on context, some registrants’ descriptions of the processes by which their board or relevant committee is informed about cybersecurity risks may include discussion of frequency.”

In a notable departure from the proposed rules, the final rules do not require a discussion of board cybersecurity expertise or the identification of any board members with such expertise.

Management. New Item 106(c)(2) of Reg. S-K requires disclosure of management’s role in assessing and managing the company’s material risks from cybersecurity threats. This disclosure should include, as applicable, the following non-exclusive list of disclosure items:

• whether and which management positions or committees are responsible for assessing and managing cybersecurity risk, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• whether such persons or committees report information about such risks to the board or a committee or subcommittee of the board.

Foreign Private Issuers (FPIs)

Under the final rules, General Instruction B to Form 6-K has been amended to add material cybersecurity incidents as a reporting topic that may require an FPI to furnish a Form 6-K. In addition, the final rules add new Item 16K to Form 20-F, which will require FPIs to include disclosure comparable to new Item 106 of Reg. S-K in annual reports (but not registration statements) on Form 20-F.

Existing Guidance

The final rules supplement, but do not replace, existing guidance on cybersecurity disclosures. The SEC’s Division of Corporation Finance issued guidance in 2011 providing its views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.⁵ In addition, the SEC issued interpretive guidance in 2018 to assist public companies in preparing disclosures about cybersecurity risks and incidents, which includes discussion of the possibility of cybersecurity disclosures elsewhere in periodic reports, such as in the risk factors, management’s discussion and analysis of financial condition and results of operations, description of the business, and elsewhere, as well as potential implications on insider trading and Form 8-K reporting in relation to cybersecurity incidents.⁶

Structured Data Requirements

The final rules require companies to tag the required disclosures in Inline XBRL, including block text tagging of narrative disclosures, and detail tagging of quantitative amounts disclosed within the narrative disclosures.

Compliance Dates

As noted above, the final rules are effective 30 days after they are published in the Federal Register; however, the SEC has provided for a transition period to comply.

• Item 106 of Reg. S-K and Item 16K of Form 20-F: All companies (including smaller reporting companies) must provide these disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.

• Item 1.05 of Form 8-K and Form 6-K: Companies (other than smaller reporting companies) must begin complying 90 days after the final rules are published in the Federal Register or December 18, 2023, whichever is later.
  • Smaller reporting companies must begin complying 270 days after the final rules are published in the Federal Register or June 15, 2024, whichever is later.

• Inline XBRL: All companies must tag disclosures under the applicable final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. This means the following:
  • For Item 106 of Reg. S-K and Item 16K of Form 20-F, all companies must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024.
  • For Item 1.05 of Form 8-K, all companies (including smaller reporting companies) must begin tagging responsive disclosure in Inline XBRL beginning 465 days after the final rules are published in the Federal Register or December 18, 2024, whichever is later.

What to Do Now?

Companies should prepare for the new cybersecurity reporting and disclosure obligations. The annual disclosures will be required in Forms 10-K and Forms 20-F for fiscal years ending on or after December 15, 2023. Material cybersecurity incident reporting will be required for companies, other than smaller reporting companies, on the later of 90 days after the rules are published in the Federal Register or December 18, 2023, and for smaller reporting companies on the later of 270 days after the rules are published in the Federal Register or June 15, 2024.

Updating a complete cybersecurity and risk management program takes significant time, and companies should begin the process now in order to be able to comply with the various disclosure requirements imposed by the SEC’s rules concerning newly discovered cybersecurity incidents, the company’s approach to identifying, assessing, and managing cybersecurity risks, and the board and management’s role in managing these risks. In particular, companies should:

1. Review the final rules and compliance deadlines with the appropriate internal teams as well as external advisors. Educate officers, directors, and other affected parties, such as employees dealing with cybersecurity, on the final rules.
2. Ensure that policies clearly delineate responsibility for management, assessment, and oversight of cybersecurity risks by the board and management. Assess management’s expertise with respect to cybersecurity. Consider how the company’s newly required disclosures about board and management oversight will be viewed by investors and consider whether changes to the current structure may be warranted.
3. Review, update, and maintain, as necessary, disclosure controls and procedures to ensure the timely delivery of information to management and the board, so that the incident can be properly evaluated and managed, the materiality determination can be made without unreasonable delay, and the required disclosures can be made on a timely basis. Ensure that these controls and procedures are reflected in the company’s incident response plan. Begin drafting a first set of Form 10-K disclosures now based on current practices so that you can fill in any gaps between now and the time at which disclosures are due.
4. Test the company’s incident response plan readiness in advance, prior to the date the final rules go into effect.
5. Prepare to continuously monitor and document incidents and provide disclosure updates regarding information that is required to be disclosed under Item 1.05 but was not available or determined at the time of initial disclosure on Form 8-K. Similarly, monitor any series of related incidents that are not material by themselves but that may in the aggregate be material and require disclosure under 1.05.
6. Review the cybersecurity readiness plans of the company’s third-party information security partners and providers and consider how those plans may impact disclosures. Incidents occurring on or through third-party systems that the company uses will require disclosure if the incident would have a material impact on the company. The company will also have to make annual disclosures regarding whether the company has a risk management plan to address cybersecurity risk imposed by the use of third-party providers.
7. Evaluate the company’s overall risk assessment posture and whether the company has aligned itself with a recognized cybersecurity framework such as ISO 27001 or the NIST Cybersecurity Framework and if the company has not, consider doing so. If the company does not consult with outside subject matter experts, consider doing so. As discussed above, the company will have to make annual disclosures regarding its cybersecurity posture and discuss material cybersecurity risks and/or the impact of material cybersecurity incidents such as those reported on Form 8-K. It will also have to disclose whether it engages consultants or auditors.

[1] See, e.g., CF Disclosure Guidance: Topic No. 2, Cybersecurity, Division of Corporation Finance (October 13, 2011), and Commission Statement and Guidance on Public Company Cybersecurity Disclosures, SEC Rel. 33-10459 (February 26, 2018).

[2] TSC Indus., Inc. v. Northway, 426 U.S. 438, 449 (1976). See also the definition of “material” in Rule 405 of the Securities Act of 1934 and Rule 12b-2 of the Securities Exchange Act of 1934.

[3] In addition, the SEC noted that existing Exchange Act Rule 0-6 provides for the omission of information that has been classified by an appropriate department or agency of the federal government for the protection of the interest of national defense or foreign policy.

[4] See new Item 1C., Cybersecurity, in Part I of Form 10-K.

[5] CF Disclosure Guidance: Topic No. 2, Cybersecurity, Division of Corporation Finance (October 13, 2011).

[6] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, SEC Rel. 33-10459 (February 26, 2018).