SEC Adopts Cyber Regulations

Christopher Escobedo Hart, Colin Zick
Foley Hoag LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Foley Hoag LLP

Key Takeaways:

  • On July 26, 2023, the Securities and Exchange Commission (SEC) adopted rules requiring disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk management, strategy, and governance.
  • Public companies will be required to disclose “any cybersecurity incident they determine to be material” under new Item 1.05 of Form 8-K.
  • Public companies will need to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and disclose whether any previous cybersecurity incidents have materially affected (or are likely to materially affect) the company under new Item 106 of Regulation S-K.
  • Foreign Private Issuers (FPIs) will need to provide information on material cybersecurity incidents that have been disclosed or publicized in a foreign jurisdiction to any stock exchange or security holder on Form 6-K.


On July 26, 2023, the Securities and Exchange Commission (SEC) adopted rules requiring disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk, management, strategy, and governance in annual reports for public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

Requirements under the final rules include the following:

  • Public Companies
    • Form 8-K. New Item 1.05 has been added to Form 8-K that will require public companies to disclose any material cybersecurity incident. Importantly, once a cybersecurity event has been discovered, public companies must determine as soon as reasonably practical whether such incident is material, and, if the incident is material, must file an Item 1.05 Form 8-K disclosure within four business days after the materiality determination.

      The SEC has noted that, in assessing whether a cybersecurity incident is material, public companies should apply the materiality standard set out in securities law cases addressing materiality (including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano) and prior SEC guidance on materiality (including the definitions set forth in “Securities Act Rule 405” and “Exchange Act Rule 12b-2”) – notably, that information is material “if there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” If a public company determines that an incident is material, it must describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact (or reasonably likely impact) of the incident on the company.
    • Regulation S-K. New Item 106 under Regulation S-K, will require public companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and disclose whether any previous cybersecurity incidents have materially affected (or are likely to materially affect) the company. Further, public companies will need to describe the board of directors’ oversight of risks from cybersecurity threats as well as management’s role and expertise in assessing and managing such risks.
  • Foreign Private Issuers
    • Form 6-K. Foreign Private Issuers (FPIs) will need to furnish on Form 6 K information on material cybersecurity incidents that have been disclosed or publicized in a foreign jurisdiction to any stock exchange or security holders. Relatedly, Form 20-F will be amended to include periodic disclosure requirements similar to those included in the updates to Regulation S-K.

The SEC’s July 26,2023 announcement provides the following timelines:

  • Effective Date. The new rules will go into effect thirty (30) days following the date of publication in the Federal Register.
  • Periodic Disclosure Requirements. Disclosures under Regulation S-K Item 106 and Form 20-F will be required in annual reports for fiscal years ending on or after December 15, 2023.
  • Cybersecurity Incident Disclosure. Public companies (other than smaller reporting companies) will need to begin complying with the new incident disclosure requirements under Item 1.05 of Form 8-K on the later of (1) ninety (90) days following the date of publication in the Federal Register or (2) December 18, 2023. For smaller reporting companies, these deadlines are extended to the later of (1) two hundred and seventy (270) days following the date of publication in the Federal Register or (2) June 15, 2024.

Law clerk Ben Kalman co-authored this alert.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP | Attorney Advertising

Written by:

Foley Hoag LLP
Foley Hoag LLP
Contact
more
less

Foley Hoag LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide