Following up on our previous report from almost a year ago, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) has adopted final rules intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies. Specifically, companies will be required to disclose (1) cybersecurity incidents through a new required Form 8-K item and (2) cybersecurity risk management and governance through a new required Form 10-K item.

The new rules were the subject of extensive public comment. A summary of the new requirements appears below.

Disclosure of Material Cybersecurity Incidents on Form 8-K

The final rule requires a registrant to disclose under new Item 1.05 to Form 8-K the occurrence of a cybersecurity incident[1] that the registrant has determined to be material to the registrant. As was the case in the proposed rule, the final rule requires the current report on Form 8-K to be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident.

While the Commission did not change the four-business day deadline for reporting a material cybersecurity incident, it did make several changes to new Item 1.05 from what was set forth in the proposed rule. First, the Commission narrowed the amount of information required to be disclosed to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on requiring certain specific details regarding the incident itself. Under new Item 1.05(a), if a registrant has experienced a material cybersecurity incident, it must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Unlike with the proposed rule, the Commission did not adopt a requirement for disclosure regarding the incident’s remediation status, whether it is ongoing, or whether data was compromised. Further, the Commission added an Instruction 4 to Item 1.05 to provide that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

Regarding concerns expressed regarding the short time period required for disclosure of a material cybersecurity incident, the Commission’s final rule clearly expresses the Commission’s acknowledgment that a registrant’s determination of the materiality of a cybersecurity incident will likely take more than four business days from discovery of a cybersecurity incident. In the final rule’s adopting release, the Commission states:

In the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered. The registrant will develop information after discovery until it is sufficient to facilitate a materiality analysis. At that point, we believe investors are best served knowing, within four business days after the materiality determination, that the incident occurred and what led management to conclude the incident is material. (emphasis added).

Instruction 1 to Item 1.05 provides that a registrant’s materiality determination regarding a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. This is a change from the proposed rule, which required the materiality determination to be made “as soon as reasonably practicable” after discovery of the incident. In the Commission’s view, this change was intended to address concerns that the proposed requirement to make such determination as soon as reasonably practicable could have resulted in undue pressure to make a materiality determination before a registrant has sufficient information to do so. While one can argue the true benefit to this change in language, the adopting release makes effort to highlight that the Item 1.05 disclosure is only triggered once a company has developed information regarding an incident sufficient to make a materiality determination, not simply upon discovery of cybersecurity incident.

The commentary accompanying the final rules suggests the Commission will scrutinize perceived delays in making the materiality determination. For example, the Commission noted that, if a materiality determination is to be made by a board committee, “intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute an unreasonable delay.” The Commission also cautioned against revising existing incident response policies and procedures to support a delayed materiality determination, such as by extending the incident severity assessment deadlines or changing the criteria that would require reporting an incident to management or committees with responsibility for public disclosures.

Change in Manner of Updating Previously Disclosed Material Cybersecurity Incidents

In the proposed rule, the Commission had originally proposed that registrants would be required to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8–K in the registrant’s quarterly report filed on Form 10-Q or annual report on Form 10-K for the period in which the material change, addition or update occurred.[2] The final rule eliminates these proposed quarterly updates. Instead, the Commission has revised Instruction 2 to Item 1.05 of Form 8-K. Under the revised instruction, a registrant is instructed that “to the extent information called for in Item 1.05(a) is not determinable or is unavailable at the time of the required filing, the registrant shall include a statement to this effect in the filing and then must file an amendment” to its Form 8-K disclosing a material cybersecurity incident “containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.”

In addition to updates that are required by the text of Instruction 2, the commentary includes a reminder from the Commission that a registrant “may have a duty to correct [a] prior disclosure that the registrant determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made.” Thus, registrants will need to evaluate whether new information will require them to amend a Form 8-K filing to correct prior statements or address material omissions.

Limited Reporting Delay for Cybersecurity Incidents Posing National Security or Public Safety Risk

The final rule adopts a limited delay provision in cases where disclosure poses a substantial risk to national security or public safety. Pursuant to new Item 1.05(c) of Form 8-K, a registrant may delay making an Item 1.05 Form 8-K filing if the U.S. Attorney General determines that the disclosure poses a substantial risk to national security or public safety, and the Attorney General notifies the Commission of such determination in writing. The Attorney General may delay the required filing for an initial 30-day period, a second 30-day period, and, in extraordinary circumstances, an additional 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security. The Commission may consider further delays beyond the final 60-day period and grant such relief through a Commission exemptive order.[3]

Other than the national security or public safety delay, which we expect would be applicable in a limited number of circumstances, the Commission only adopted one other reporting delay provision to align with other federal and state cybersecurity reporting or regulatory regimes. New Item 1.05(d) to Form 8-K is designed to align the Commission’s reporting requirements with the Federal Communications Commission (“FCC”) regulations for breaches of customer proprietary network information (“CPNI”). The FCC’s rule for notification in the event of breaches of CPNI requires covered entities to notify the United States Secret Service (“USSS”) and the Federal Bureau of Investigation (“FBI”) no later than seven business days after reasonable determination of a CPNI breach, and further directs the entities to refrain from notifying customers or disclosing the breach publicly until seven business days have passed following the notification to the USSS and FBI. To accommodate registrants who are subject to this rule and may as a result face conflicting disclosure timelines, paragraph (d) to Item 1.05 provides that such registrants may delay making a Form 8-K disclosure up to the seven-business day period following notification to the USSS and FBI specified in the FCC rule, with written notification to the Commission.

Disclosure of Risk Management, Strategy, and Governance Regarding Cybersecurity Risks

Form 10-K will include new Item 1C, which must contain the disclosures required by new Item 106 of Regulation S-K. The new required disclosures include the following and must be tagged and presented in Inline XBRL format.

Risk Management and Strategy. Companies must provide a description of their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. This description must be in sufficient detail for a reasonable investor to understand those processes. Companies should address the following, at a minimum:

• Whether and how such processes have been integrated into the company’s overall risk management system or processes;
• Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
• Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of third-party service providers.

The Company must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition, and if so, how.

Governance. Companies must describe the board of directors’ oversight of risks from cybersecurity threats. They must identify any board committee or subcommittee responsible for the oversight of these risks and describe the processes by which the board or applicable committee is informed about such risks.  Companies must also describe management’s role in assessing and managing cybersecurity risks. This disclosure should address the following, at a minimum:

• Whether and which management position or committees are responsible for assessing and managing cybersecurity risks, and the relevant expertise of such persons in such detail as necessary to fully describe the nature of the expertise (for example, prior work experience in cybersecurity; relevant degrees or certifications; and any knowledge, skills, or other background in cybersecurity);
• The processes by which such person or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board.

Unlike the proposed rule, the final rule does not require disclosure about the cybersecurity expertise of members of the board of directors.

Effective and Compliance Dates

The final rule is effective September 5, 2023. Public companies (other than smaller reporting companies) will be required to begin complying with the new Form 8-K requirements on December 18, 2023. Smaller reporting companies will become subject to the Form 8-K requirements on June 15, 2024.

The new Form 10-K requirements will be required for all companies in the first Form 10-K for any fiscal year ending on or after December 15, 2023, i.e. in the next Form 10-K for calendar year-end companies.  

The Inline XBRL-tagging requirements will become effective approximately one year after effectiveness of the disclosure requirements. For Form 8-K, companies must begin tagging disclosure on December 18, 2024. For Form 10-K, companies must begin tagging disclosure beginning with annual reports for fiscal years ending on or after December 14, 2024. For calendar year-end companies, this means that iXBRL tagging will not be required until the 2024 10-K, filed in 2025.

Next Steps for Registrants

We anticipate that the SEC will actively enforce the final rules. The final rules may also help investors bring derivative claims against senior executives and board members alleging a breach of fiduciary duty for failing to manage cybersecurity risk. Registrants should take steps to prepare for the effective dates associated with the new requirements, including the following:

• Update incident response procedures to ensure the materiality analysis is conducted in a timely manner. Data incident response procedures tend to focus on the tangled web of international, national, and state breach notification laws, rather than SEC reporting requirements. Registrants should update their incident response procedures to require early evaluation of whether an incident constitutes a “cybersecurity incident” within the meaning of the SEC’s final rules. If so, the incident response procedure must trigger the prompt involvement of any additional professionals and stakeholders needed for purposes of the Form 8-K materiality analysis. The SEC’s final rules do not specify whether the materiality determination should be performed by the board, a board committee, or one or more officers of the registrant. Registrants should strongly consider updating incident response policies and procedures to clearly delineate responsibilities for the materiality determination under the final SEC rule. A registrant’s incident response procedures should also facilitate timely and effective coordination between the company’s incident response team, legal counsel advising on compliance with data breach notification laws, and legal counsel and stakeholders responsible for SEC disclosures. Failing to account for the Form 8-K reporting requirements in a registrant’s incident response procedure will increase the likelihood that a registrant fails to perform the analysis “without unreasonable delay.” Registrants should also ensure that their incident response process and disclosure controls address the considerations described in the final rule, the accompanying commentary issued by the Commission, and case law addressing materiality.

• Assume that you will not be able to take advantage of the national security/public safety reporting delay. The reporting delay is very narrow and applies only where the U.S. Attorney General determines that the disclosure poses a substantial risk to national security or public safety. According to the Commission, the SEC and the Department of Justice have established an interagency process to facilitate reliance on the reporting. But we anticipate that it will be difficult to obtain a timely determination from the Attorney General and that the delay will rarely be authorized.
• Evaluate and update existing cybersecurity risk management processes to enable the registrant to address new content requirements for Form 10-K filings. The final rule requires registrants to describe their “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes,” including certain minimum content discussed in further detail above. Now would be a good time to evaluate current processes and update them, as appropriate, to enable registrants to describe the specific items mandated by new Item 106(b) in a manner that demonstrates implementation of best practices while mitigating legal risk associated with making the mandatory disclosures.
• Evaluate and update board governance processes to enable the registrant to address associated Form 10-K reporting requirements. New Item 106(c) will require registrants to describe board/subcommittee oversight of risks from cybersecurity threats and processes that ensure the board/committee is informed of such risks. Specific content described above must be included. Registrants should evaluate these requirements against current board/committee supervision and associated procedures. Registrants should make updates that are needed so that they can make the required 10-K disclosures in such a way as to address investor concerns while mitigating any associated risk.

• Prepare content for Form 10-K filings. After evaluating and updating internal cybersecurity procedures and governance, registrants should work with legal counsel to draft new language to address the new 10-K reporting requirements imposed by the final rules. Waiting until closer to the filing deadline may put you in a tough spot because organizational changes may be necessary to truthfully discuss the required content and adequately address investor concerns.

• Assemble a multidisciplinary team to assist with and advise on compliance with the final rules and related legal requirements—before the final rules take effect. Complying with the new cybersecurity incident disclosure rule will likely require registrants to rely on a team with diverse areas of expertise, including external parties, such as forensic investigators and outside legal counsel. Obtaining guidance from legal counsel with dedicated public company and privacy/data security practices will be instrumental in preparing for the final rule’s compliance dates, determining whether and how to make Form 8-K filings for specific incidents, and complying with related legal requirements, such as data breach notification laws.

*******

[1] A “cybersecurity incident” is defined in the final rule as an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. See new Item 1.06(a) to Regulation S-K.

[2] See prior, proposed new Item 1.06(d) of Regulation S-K from proposed rule.

[3] The final rule’s adopting release indicates that the Commission has consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the Commission in a timely manner. The Department of Justice will notify the affected registrant that communication to the Commission has been made, so that the registrant may delay filing its Form 8-K.