Key Takeaways

• On July 26, 2023, the Securities and Exchange Commission (SEC) adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents.
• The rules require reporting companies to file a Form 8-K under a new Item 1.05 to report certain information in the event of a material cybersecurity incident.
• The rules also require reporting companies to describe in their annual reports under a new Item 1C both of the following:
  • The company’s processes for assessing, identifying and managing material risks of cybersecurity threats in sufficient detail for a reasonable investor to understand the processes.
  • Whether risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to have a material effect on the company, including on business strategy, results of operations or financial condition, and if so, how.
• The annual report must also disclose the board of directors’ and management’s roles in overseeing and managing material risks of cybersecurity threats.
• Companies are advised to ensure their incident assessment and disclosure protocols facilitate timely disclosure of material incidents on Form 8-K, and they will need to consider the material actual and likely impacts of cybersecurity threats on the business.
• Companies will need to take stock of their current processes for and the role of management in assessing, identifying and managing material risks of cybersecurity threats, as well as how the board provides oversight with respect to these risks.

Rulemaking Background

In July 2023, the SEC adopted new cybersecurity rules for the stated purpose of enhancing and standardizing disclosures regarding cybersecurity risk management, strategy, governance and incidents by public companies. The rules were proposed in March 2022, as various factors including the use of digital technologies and artificial intelligence, hybrid work environments, the increase in the use of crypto assets, and the illicit profits from ransomware and stolen data have continued to increase cybersecurity risk. The final rules reflect the SEC’s determination that investors require more substantive and consistent information concerning the cybersecurity risk profile of companies to inform investment decisions.

The summary below explains the final rule obligations in three areas (which are also shown in the chart at the end of this alert) and provides high-level initial action items to prepare for compliance with the new rules. The SEC, through its comments on the definition of “cybersecurity incident,” explained that these rules focus on the impact on companies regardless of whether the risk or incident occurs on an asset managed by the company or a third party.

Overview of Rules

Disclosure of Material Impact of Cybersecurity Events:

• Obligation – Reporting companies will be required to file a Form 8-K under a new Item 1.05 within four business days of determining a cybersecurity incident is material. The Form 8-K must describe (1) the material aspects of the nature, scope and timing of the incident and (2) the material impact or reasonably likely material impact on the company, including on its financial condition and results of operations:
  • The filing may be delayed by up to 30 days if the U.S. attorney general (AG) determines that a disclosure “poses a substantial risk to national security or public safety” and the AG notifies the SEC of the determination.
  • The 8-K does not need to include technical details about the incident or the company’s response plans.
  • The materiality determination must be made without unreasonable delay after discovery of the incident.
  • If information required to be included in the 8-K is not available at the time of the initial 8-K filing, that must be mentioned in the initial 8-K filing, and the 8-K must be amended when that information is determined (within four business days of determining the information that was missing).
• Take Action – Companies should establish/review their existing disclosure controls and procedures related to the disclosure of cybersecurity risks or incidents. Companies should have an enterprise incident response plan that outlines how disclosure obligations will be assessed and addressed (not just a plan for the security team to use to manage the technical response), which may classify incidents (e.g., low, medium, high, critical) and assign a corresponding disclosure protocol that identifies the decision-makers responsible for ensuring compliance with the new rules (e.g., all incidents classified as high or critical are reported to the disclosure committee). Companies should also make sure that their business continuity plans are aligned with their enterprise incident response plan for classification and reporting. Following incidents, whether or not they are deemed material, companies should also have a process for evaluating and updating other disclosure related to cybersecurity, including risk factors under Item 1A of Form 10-K and now the new Item 1C cybersecurity risk management disclosures discussed below. This evaluation should occur as each periodic report is filed to ensure that such disclosures are still accurate and meaningful based on any incidents that were detected since the prior report and any developments regarding security control implementation issues or other challenges.

Disclosure of Cybersecurity Risk Management and Strategy:

• Obligation – The rules add a new Item 1C, Cybersecurity, to Form 10-K and Item 16K of Form 20-F. This new section requires companies to address two disclosure topics outlined in a new Item 106 of Regulation S-K:

(1) The first requires the company to describe its processes for assessing, identifying and managing material risks of cybersecurity threats in sufficient detail for a reasonable investor to understand the processes. The stated intent of the SEC is to provide enough detail about cybersecurity practices for an investor to understand the company’s cybersecurity risk profile. The non-exhaustive list of disclosure items to address are:

(i) Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes.

(ii) Whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes.

(iii) Whether the registrant has processes to oversee and identify such risks of cybersecurity threats associated with its use of any third-party service provider.

(2) The second requires the company to describe whether risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to have a material effect, including on business strategy, results of operations or financial condition, and if so, how.

• Take Action – There are three primary action areas related to the first disclosure obligation:

(1) Identify the method used by the company to conduct an assessment to identify cybersecurity threats (e.g., conducting a risk assessment – ideally, this covers incidents involving theft of data and business continuity events affecting assets both managed by the company and at vendors engaged by the company).

(2) Consider how the results of the risk assessment are used to design/update the company’s information security program (e.g., for residual risks identified by the risk assessment that are not acceptable, how the company determines what to do about them).

(3) Consider how the effectiveness of the controls and safeguards that are implemented as part of the information security program are evaluated, including oversight and assessment of third-party assessors/consultants used in this process.

For the second disclosure obligation, which has a materiality qualifier, the SEC comments state that the focus is on whether/how the company’s business model and strategy are affected by cybersecurity risks. For instance, if the company relies heavily on collecting and safeguarding sensitive personal information, should it raise capital to spend more on cybersecurity, or should it focus on collecting less personal information in order to reduce risk? The stated intent is to enable investors to assess whether the company will become more or less resilient or vulnerable to cybersecurity risks in the future. The comments also use the example of a company that previously experienced a cybersecurity incident disclosing whether it will be providing compensation to affected consumers or paying regulatory fines or judgments/settlements to help companies understand how the incident could affect financial performance.

Governance – Disclosure of Management and Board Oversight:

• Obligation – As a complement to the risk management strategy disclosure, under Item 1.06 of Regulation S-K, companies are also required to disclose how its leadership oversees and implements its cybersecurity processes as follows:

(1) Board of directors – Describe the board’s oversight of risks of cybersecurity threats, and if applicable, identify any committee or subcommittee responsible for this area of oversight and how the board or committee is informed about risks of cybersecurity threats.

(2) Management – Describe management’s role in assessing and managing material risks of cybersecurity threats, including addressing the following non-exhaustive list: (i) management positions that are responsible for assessing and managing such risks and the relevant expertise of those individuals, e.g., a chief information security officer (CISO) or comparable position; (ii) the processes by which responsible managers or management committees are informed about and monitor “prevention, detection, mitigation, and remediation of cybersecurity incidents”; and (iii) whether management reports information about material cybersecurity risks to the board or a board committee.

• Take Action – Companies will need to identify the members of the management team responsible for addressing material cybersecurity risks and have clear delegations to establish whether the board or a board committee is responsible for oversight of cybersecurity risks. For management, companies will need to determine how the management team is involved in both building the information security program to prevent/detect incidents and responding to cybersecurity incidents when they are detected; for example, a CISO is responsible for building the information security program, and the incident response plan identifies the members of management who are part of the management team that supports the core incident response team. Examples of items to consider disclosing may include (1) does the CISO present the results of a risk assessment to the management and/or board, (2) does management participate in making decisions on whether and how to address residual risks identified by the risk assessment, and (3) does the company conduct incident response tabletop exercises that either involve participation by the management team or the management team and/or board receive a briefing regarding the exercise.

Effective and Compliance Dates:

• For Item 106 of Regulation S-K (required by new Item 1C of Form 10-K and Item 16K of Form 20-F), all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
• With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all registrants other than smaller reporting companies must begin complying on Dec. 18, 2023. Smaller reporting companies must begin complying on June 15, 2024.
• The SEC is requiring that all information specified in Item 1.05 of Form 8-K and Item 106 of Regulation S-K be presented in Inline XBRL; however, this requirement will apply following a one-year transition period after the initial compliance date for the disclosure requirement.

Please feel free to contact any of our experienced professionals if you need assistance with complying with these requirements or have questions about this Client Alert.

[View source.]