The SEC adopted new rules for public companies regarding disclosure of information relating to cybersecurity risk management, strategy, governance, and material incidents. Companies will now be required to disclose cybersecurity incidents deemed material through Current Reports on Form 8-K. Companies will also be required to include information in Annual Reports on Form 10-K relating to (i) procedures for assessing, identifying and managing material risks from cybersecurity threats as well as the material outcomes that have resulted, or may result, from such cybersecurity threats, (ii) board oversight of risks posed by cybersecurity threats, any board committee (or subcommittee) responsible for such oversight and the process by which the board (or such committee) is informed of such risks, and (iii) management’s role in assessing and managing material cybersecurity risks.

Importantly, the new rules establish the following new definitions:

• "Cybersecurity Incident" is defined as an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein; and

• "Information Systems" is defined as electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations (note that the use of the phrase “or used by” picks up the operations and infrastructure of IT service providers meaning that an attack on a company’s IT service provider could trigger Item 1.05 disclosure).

Key Points to the New Rules

• Item 1.05 Disclosure (Form 8-K): Public companies will be required to file a Form 8-K disclosing cybersecurity incidents within four (4) business days of a determination that such incident was material to the company. Required disclosure includes the material aspects of the incident’s nature, scope, and timing as well as how the incident will, or reasonably likely will, impact the company’s business, financial condition and results of operations. The materiality determination must be made without unreasonable delay. Late filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility; however, information contained in the Item 1.05 Form 8-K will be considered filed, not furnished. If any information required by Item 1.05 is not determined or is unavailable when the initial filing is due, companies must include a statement to that effect in the initial filing and amend the filing to provide the new information within four (4) business days after (i) making such determination (without unreasonable delay) or (ii) such information becomes available.

• Regulation S-K, Item 106 Disclosure (Form 10-K): Public companies will be required to provide ongoing disclosure in their Annual Reports on Form 10-K relating to their process, if any, for assessing, identifying and managing material risks from cybersecurity threats, including (i) whether and how any such processes have been integrated into overall risk management systems; (ii) whether they engage assessors, consultants, auditors or other third parties in connection therewith; and (iii) whether they have processes to oversee and identify risks to the company associated with their use of IT service providers.

In addition, public companies must describe whether and how any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect business strategy, results of operations or financial condition.

Finally, public companies must also describe (i) the board’s oversight of risks posed by cybersecurity threats and, if applicable, identify any board committee (or subcommittee) responsible for the oversight of such risks and describe the process by which the board (or committee) is informed about such risks; and (ii) management’s role in assessing and managing material risks posed by cybersecurity threats, including (a) whether and which management positions or committees are responsible for assessing and managing such risks and the relevant expertise of their current occupants or members; (b) the processes by which management is informed about, and monitors the prevention, detection, mitigation and remediation of, cybersecurity incidents, and (c) whether management reports information about such risks to the board or a committee (or subcommittee) of the board. Note that requirements regarding management’s role only apply to the management of “material” cybersecurity risks, whereas the board requirements apply to cybersecurity risks generally.

• Timing: Disclosure will be required for Form 8-K incidents 90 days after the new rules are published in the Federal Register or December 18, 2023, whichever date is later. Disclosure will be required in Annual Reports on Form 10-K for reporting companies with fiscal years ending on or after December 15, 2023.

Next Steps

Companies should carefully evaluate their existing cybersecurity policies and procedures against these new rules, including addressing board and management oversight of cybersecurity, incident response training, internal incident escalation and reporting and overall preparedness, as well as the integration of all the foregoing with existing disclosure controls and internal control over financial reporting. In addition, since an attack on a service provider can trigger disclosure under the new rules, companies should also evaluate their policies and procedures with respect to, and agreements with, their IT service providers to make sure they have adequate and timely access to information.