In less than three months, public companies and certain foreign private companies will have to take additional steps after cybersecurity breaches: deciding whether an incident meets the materiality threshold that requires disclosure pursuant to U.S. Securities and Exchange Commission (SEC) rules. Public companies will also have to enhance their periodic disclosures related to their cybersecurity risks, management, and strategy.
Those changes are the result of the SEC’s final rule that seeks to standardize and improve disclosures concerning identified cybersecurity risks and incidents, allowing investors to better evaluate a company’s legal and financial exposure as a result, according to an SEC fact sheet. There are critical next steps that companies need to take now, including testing the speed and accuracy with which their internal teams can assess cybersecurity incidents.
The final rule concerning cybersecurity incident disclosures became effective on September 5, 2023, with the first compliance deadlines set for December. The final rule requires domestic companies to:
- Disclose any material cybersecurity incident within four business days from a determination of materiality through a Form 8-K filing.
- Describe the company’s processes for assessing, identifying, and managing cybersecurity risks and threats in its Form 10-K filing.
- Describe the board of directors’ oversight and management of cybersecurity risks and incidents in its Form 10-K filing.
Disclosure of Material Cybersecurity Incidents
The final rule adds Item 1.05 to Form 8-K, which requires disclosure of the impacts of a material cybersecurity incident but only if such incident is determined to be material, a determination that a company must make “without unreasonable delay.”
The final rule does not change the definition of “materiality” developed over 50-plus years of case law. The Supreme Court in the seminal case TSC Industries v. Northway stated that a fact is material if there is “a substantial likelihood that the ... fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” The SEC has adapted TSC Industries in its rules to define materiality as matters for which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered. A “cybersecurity incident” is broadly defined as a single or series of related unauthorized occurrences on or through information systems that jeopardize the confidentiality, integrity, or availability of an information system or any information held within. An “information system” is any electronic information resource “owned or used by the [company].” The SEC has clarified that these definitions of cybersecurity incident and information systems are applied retrospectively upon a determination of materiality.
If the incident is determined to be material, then, within four business days from the date of such determination, the company must disclose, in public filings, the material aspects of the incident, including the “nature, scope, and timing of the incident, and the material impact or reasonably likely material impact of the incident on the registrant, including on its financial condition and results of operations.” However, companies are not required to disclose specific or technical information relating to the affected systems, the vulnerabilities, or an intended response.
If the information required for Form 8-K is not available by the date disclosure is required, then companies must flag the missing information in the Form 8-K disclosure and file a subsequent amendment to the Form 8-K within four business days of the information becoming available. For example, if a company that has experienced a breach is unable to determine when the threat actor first entered its system within the four business days before disclosure of the incident is required, then the company should file the Form 8-K noting where such information is unavailable and file an amendment within four business days of that information becoming available, even if that information becomes available a month, three months, or a year later.
Companies may extend the timeline for the initial disclosure material incidents if they are subject to the Federal Communications Commission’s (FCC) “notification rule for breaches of customer proprietary network information (CPNI).” Companies subject to the CPNI must notify the SEC and the applicable entities specified in the FCC rule within seven business days after a determination of materiality, such as the Secret Service and the Federal Bureau of Investigation, prior to delay.
A second form of extension occurs only if the U.S. attorney general decides that such a disclosure would pose a substantial risk to national security. In such rare cases, the attorney general can delay the filing for two 30-day periods, and then an additional 60-day period, while the threat to security is assessed. The Department of Justice has not yet clarified what form of disclosures will qualify for such delays.
Disclosure of Cybersecurity Strategy, Risk Management, and Governance
The final rule also adds Regulation S-K Item 106, subsection (b) of which requires companies to disclose information relating to their procedures for assessing, identifying, and managing material risks from cybersecurity threats in a form understandable by a reasonable investor, such as how said risks have or are likely to affect their business strategy, operational results, or financial condition. Companies must include the following elements in their annual disclosures:
- Whether and how the described cybersecurity processes have been integrated into the company’s overall risk management system or processes.
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes.
- Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
The elements above are non-exclusive and companies should disclose any information that is necessary for a reasonable investor to sufficiently understand the company’s cybersecurity processes in order to make informed investment decisions.
Furthermore, subsection (c) of the new Regulation S-K Item 106 requires companies to disclose information related to the corporate governance of cybersecurity threats, such as how the board of directors and management oversee, assess, and manage risks from cybersecurity threats in a form understandable by a reasonable investor. Information included in these disclosures should be:
- The board’s oversight of risks from cybersecurity threats and, if applicable, any board committee or subcommittee responsible for such oversight.
- The processes by which the board or board committee is informed about such risks.
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant experience of such people or members in such detail as necessary to fully describe the nature of the experience.
- The processes by which such people or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents.
- Whether such people or committees report information about such risks to the board of directors or a board committee or subcommittee.
Disclosures under the final rule also apply to foreign private issuers (FPIs). Form 8-K disclosures will be disclosed on FPIs’ Form 6-K, while Form 10-Q and Form 10-K disclosures will be disclosed on FPIs’ Form 20-F. FPIs must also disclose any information about material cybersecurity incidents that the FPIs disclose or publicize in any foreign jurisdiction, to any stock exchange, or to security holders.
Lastly, the final rule requires all related disclosures (i.e., Item 1.05 of Form 8-K, Item 106 of Regulation S-K) be tagged in Inline eXtensible Business Reporting Language (Inline XBRL) within one year of the initial disclosure compliance date. Specifically, companies must use this reporting language:
- For Item 106 of Regulation S-K and Item 16K of Form 20-F, all companies must begin tagging responsive disclosure in Inline XBRL beginning with Form 10-Ks for fiscal years ending on or after December 15, 2024.
- For Item 1.05 of Form 8-K and Form 6-K, all companies must begin tagging responsive disclosure in Inline XBRL beginning on December 18, 2024.
In a world where “everything is securities fraud,” as Bloomberg Opinion columnist Matt Levine puts it, cybersecurity disclosures would appear to be a frontier the plaintiffs' bar would pursue. Companies need to review their cybersecurity incident processes. Since the final rule requires no unreasonable delay in assessing materiality of incidents and only four business days to draft and publish disclosure statements, effective communication between teams is essential. Companies should prepare and assess whether each individual team can produce swift and accurate assessments of cybersecurity incidents and provide the appropriate response quickly. Going forward, companies should assess groups of unauthorized occurrences to ensure that, even if each one is not material, they are not material in the aggregate.
Furthermore, companies likely need to assess their cybersecurity incident governance procedures, as well as begin drafting these processes in a ready-to-be-published format for Form 10-Ks and Form 20-Fs. A key first step, if not already done, will be identifying and delegating specific responsibilities to board and management members. Companies should assess whether committees have been formed internally to investigate matters and evaluate the criteria and issues these committees oversee. These disclosures must be drafted to balance sharing enough to comply with the final rule and not sharing critical company procedures and responses.
While companies may want time to draft, test, and revise incident and governance disclosures and policies, companies do not have long to be ready to comply with the final rule:
- December 15, 2023 – All board and manager-related cybersecurity risk management, strategy, and governance disclosures must be compliant for Form 10-Ks or Form 20-Fs for fiscal years ending on or after December 15, 2023.
- December 18, 2023 – All companies (except smaller reporting ones) must begin disclosing the material aspects of cybersecurity incidents on December 18, 2023.
- June 15, 2024 – Smaller reporting companies must begin disclosing the aspects of material cybersecurity incidents on June 15, 2024.
- December 15, 2024 – All companies must begin tagging Regulation S-K Item 106 and Form 20-F Item 16K responsive disclosure in Inline XBRL beginning with Form 10-Ks and Form 20-Fs for fiscal years ending on or after December 15, 2024.
- December 18, 2024 – All companies (except smaller reporting ones) must begin tagging Form 8-K Item 1.05 and Form 6-K responsive disclosure in Inline XBRL beginning on December 18, 2024.
- June 15, 2025 – Smaller reporting companies must begin tagging Form 8-K Item 1.05 disclosures using Inline XBRL beginning on June 15, 2025.
Law clerk Hunter Snowden also contributed to this alert.