On July 26, the Securities and Exchange Commission (SEC), by a 3-2 vote, adopted final rules intended to enhance public companies’ disclosures regarding (1) cybersecurity incidents through a new required current report item under Form 8-K and (2) cybersecurity risk management and governance in annual reports on Form 10-K through a new item under Regulation S-K.

The final rules are the result of the SEC’s deliberation process and review of public comments received in connection with proposed rules and amendments announced in March 2022, which we summarized in a previous post.

In brief, the final rules include the following:

• Amendment of Form 8-K to add Item 1.05, which requires companies to disclose information about a material cybersecurity incident within four business days after the company determines that the incident is material.

• Amendments of Form 10-K and Regulation S-K to require the disclosure (under new Item 1C of Form 10-K) of information necessary under Item 106 of Regulation S-K, which requires companies to disclose information about a company’s processes to assess, identify and manage material cybersecurity risks, as well as management’s role in assessing and managing material cybersecurity risks and the board of directors’ oversight of cybersecurity risks.

• A requirement that these disclosures be tagged and presented in Inline XBRL format after an implementation period.

In the adopting release, the SEC included significant discussion of the extensive public commentary received on the proposed rules and noted a number of points on which the final rules departed from the original proposal, and some areas in which the SEC had declined to follow public commentary. In general, the SEC noted that many of the modifications were aimed at narrowing and streamlining the disclosure requirements in response to comments that the SEC staff found persuasive. The final rules dispensed entirely with some requirements that were included in the proposed rules, such as the requirement that companies make disclosures about board members’ cybersecurity expertise.

Current Report Requirements for Material Cybersecurity Incidents

General Requirements

New Item 1.05 of Form 8-K requires a public company to disclose any cybersecurity incident the company experiences that it determines to be material. The disclosure must be made within four business days (the standard period for filing a current report on Form 8-K following the triggering event) after the materiality determination is made. The disclosure must describe both of the following:

• The nature, scope and timing of the incident.

• The impact or reasonably likely impact of the incident on the company, including on its financial condition and results of operations.

Unlike the proposed rules, the final rules do not require the disclosure to include information about the cybersecurity incident’s remedial efforts or status, whether data had been compromised, or potential vulnerabilities going forward. The SEC aimed these changes at focusing the disclosure on the more general materiality of the incident and its impacts from the company’s perspective, rather than on technical details that both are less likely to be relevant to investors and may be potential impediments to remediation or even an attractive sign of vulnerabilities to malicious outside actors.

Defining “Materiality”

The materiality of a cybersecurity incident is to be determined under the standard definition generally applicable under the securities laws—i.e., whether a reasonable shareholder would consider information about the incident important in making an investment decision about the company, or the information would significantly alter the “total mix” of information available to the public about the company. As in all other areas in which public companies make this sort of determination, this is a facts-and-circumstances inquiry that is by design open to some judgment and interpretation. The SEC notes in the adopting release that, as a result, the same cybersecurity incident affecting multiple registrants may not be reportable in the same manner, at the same time, or even at all, by each of them given the likelihood of different material impacts from the incident on different organizations.

In the adopting release, the SEC used broad language in relation to what factors need to be considered in making a Form 8-K materiality analysis, noting that this evaluation should include both quantitative and qualitative factors and that when an cybersecurity incident occurs, a company “should consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Moreover, the Form 8-K requirement to disclose “reasonably likely” material expands the required level of disclosure beyond other Form 8-K contexts. As such, these and other considerations may cause companies to err on the side of disclosure in terms of deciding whether a Form 8-K is required, and the level of disclosure to be provided. Moreover, the rules do not only apply to incidents involving a company’s own systems, but also those involving the systems of a third-party provider.

Reporting Obligation Triggered by Materiality Determination

It is worth underscoring that the triggering event for the reporting obligation is not the occurrence of the cybersecurity incident itself, but rather the registrant’s determination of its materiality. In the adopting release, the SEC acknowledges that there is likely to be some lag between the occurrence and such a determination. The SEC does, however, expect such determinations to be made with all deliberate speed; the determination is required to be made “without unreasonable delay.” This, however, is one of the areas in which the final rules were modified, in response to public comments, to ease some of the pressure on registrants when compared to the proposed release, which would have required the determination to be made “as soon as reasonably practicable.”

Limited Exceptions to Filing Requirements

 Responding to comments proposing that the SEC allow delayed reporting in some circumstances, the final rules allow a delay in reporting if the U.S. Attorney General determines that disclosure of the cybersecurity incident poses a substantial risk to national security or public safety and notifies the SEC of this conclusion in writing (and also notifies the registrant of the determination as well, to allow the filing to be delayed). This delay will initially be for 30 days but can be further extended if the Attorney General determines such to be necessary. The adopting release notes that that the SEC staff and Department of Justice have conferred on establishing mechanisms to allow this determination by the Attorney General to be conveyed in timely fashion, but even so this represents a narrow exception to the general four-business day requirement, and seems unlikely to be applied frequently. Based on the belief that prompt disclosure of cybersecurity incidents is of great importance to investors, the SEC noted that it had rejected a number of suggestions from commenters for other potential delays and exceptions, such as potential delays for ongoing remediation or exceptions altogether for smaller reporting companies.

Reporting Updates on Incidents

Acknowledging that requiring current reporting of incidents promptly after they are determined to be material, perhaps while remediation is still ongoing and the total harm, if any, still indeterminate, could result in reporting that is incomplete or subject to change, the final rules also include a requirement that material information that becomes available subsequent to the original disclosure be included in an amended Form 8-K to update the disclosure. This represents a modification by the SEC of the original proposal, which had included an affirmative obligation to provide updates in periodic reports after an incident until its eventual resolution.

Aggregation of Cybersecurity Incidents Limited to Related Events

Along with the elimination of the requirement of updated incident disclosure in periodic reports, the SEC also dropped a proposed requirement that companies aggregate even unrelated and immaterial cybersecurity incidents in periodic reports. While the final rules do retain the concept that a series of related events may become material in the aggregate even if individually immaterial, this concept is not extended to aggregation of unrelated events as in the original proposal.

Form 10-K Requirements of Cybersecurity Risk Management and Strategy

General Requirements

New Item 106 of Regulation S-K establishes new requirements for Form 10-K disclosures relating to cybersecurity risk management and strategy, which will be reflected in domestic registrants’ filings under new Item 1C of Form 10-K. The disclosures must describe all of the following:

• The company’s processes, if any, for the assessment, identification and management of material risks from cybersecurity threats.

• Whether cybersecurity risks, including from prior incidents, have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations or financial condition.

• The board of directors’ oversight (including a description of the roles of board committees or subcommittees) of risks from cybersecurity threats.

• Management’s role in assessing and managing material risks from cybersecurity threats.

Disclosure Based on “Processes,” not “Policies and Procedures”

In focusing the disclosure on a description of the company’s processes, as opposed to detailed policies and procedures, cybersecurity risk management, as well as the board’s and management’s respective roles in those processes, the final form of Item 106’s requirements represent a greater streamlining of the proposed rules in a number of respects than do the final Item 1.05 of Form 8-K.

The SEC prescribes non-exclusive lists of disclosure items that registrants should consider addressing, if applicable, with respect to both their general processes for managing cybersecurity risks and their governance structures for overseeing and managing those processes. For the former, these should include descriptions as to whether and how outside consultants and service providers are used by the company (without necessarily needing to name them in the disclosure). For the latter, these should include some detail around which management positions or committees are responsible for managing risks and the processes by which they gather information about, monitor and remediate cybersecurity incidents; and their reporting relationship to the board of directors or its committees. Notably, however, the SEC was persuaded by commenters’ views that requiring disclosure of board members’ expertise on cybersecurity matters, as originally proposed, could create the potential for the disclosure requirements to drive board composition and corporate policy, and accordingly has dropped this proposed item from the final rules.

Implementation Timeline

General Filing Compliance

The final rules will become effective as of 30 days after their publication in the Federal Register. Public companies, other than smaller reporting companies, will be required to comply with the current reporting requirements for cybersecurity incidents via Form 8-K by the later of 90 days after such publication or December 18, 2023; smaller reporting companies will receive an additional 180 days before becoming subject to this requirement by the later of 270 days after such publication or June 15, 2024. The new Item 106 disclosures will be required in all companies’ first annual reports on Form 10-K for any fiscal years ending on or after December 15, 2023.

XBRL Tagging

The requirement for disclosures to be tagged in Inline XBRL will become effective approximately one year after the effectiveness of the disclosure requirements above. For current reporting, this means for current reports filed by the later of 465 days after publication of final rules in the Federal Register or December 18, 2024. For periodic reports, XBRL tagging will be required in annual reports for any fiscal years ending on or after December 15, 2024.

Key Takeaways

With these new rules becoming effective at the end of this calendar year, registrants should begin preparing now. Some important steps to consider are as follows:

• Evaluate current board and management processes and reporting relationships with respect to cybersecurity risk in light of the impending requirement to describe them in public disclosure. Additionally, the requirement to disclose which board committees oversee cybersecurity risk may result in a continuation of a trend to allocate the oversight of cybersecurity risk (at least in part) to a board committee (most commonly, the audit committee). Moreover, companies should ensure that the charter of any applicable board committee addresses the cybersecurity oversight responsibilities of such committee.

• Evaluate existing disclosure controls in light of the need to escalate cybersecurity incidents for consideration by management and the board of directors, as needed, to determine materiality and, if needed, craft appropriate disclosure within the new current reporting timeframe (generally within four business days after the company determines that the incident is material).

• Review the interplay between the new SEC requirements and any other legal or regulatory regimes regarding cybersecurity and data privacy incidents that are relevant to the company’s business. Although the SEC declined in almost all cases raised by commenters to view divergences between the new reporting regime and other legal requirements as a true conflict, companies should consider whether there are reporting requirements under one set of rules that could affect another in ways that need to be planned for in advance.

• Evaluate the cybersecurity capabilities and incident response capabilities of third-party providers, including with respect to the pre-engagement evaluation of such parties. Companies should implement contractual protections with third-party providers, and actively monitor and enforce such protections. The final rules show the SEC’s focus is not solely on the cybersecurity capabilities of registrants, but also on the third parties that interact with such registrants’ systems and data.