The Securities and Exchange Commission (SEC) finalized cybersecurity rules this week for public companies centered on disclosure requirements for material cybersecurity incidents, as well as periodic reporting regarding cybersecurity risk management, strategy, and governance. Originally proposed in March 2022, these extensive rules received significant industry feedback and more than 150 comment letters during the last year.
In a statement following the adoption of the rules, SEC Chair Gary Gensler remarked, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” Gensler continued, “Many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
New disclosure requirements
The new rules require companies to disclose in a Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its impact on the company. The Form 8-K will generally be due within four business days of the date on which the company determines the cybersecurity incident to be material; however, the disclosure may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. Companies are required to make the determination as to the materiality of a cybersecurity incident without unreasonable delay after discovery of the incident. Information required by the Form 8-K that is not available at the time of the initial 8-K filing must be disclosed by filing an amended 8-K within four business days of that information becoming available.
During the comment period for the proposed rules, the SEC received feedback expressing concern that the proposed disclosure of granular information about a cybersecurity event would potentially exacerbate the event by providing too much detail about how the event occurred. Accordingly, in the final rules, the SEC streamlined the language to focus more on disclosure of “the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself.”
Additionally, the new rules require companies to annually disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats, and to describe how the board of directors oversees cybersecurity risks, as well as management’s role in assessing and managing cyber threats. The SEC had previously proposed requiring registered companies to disclose the cybersecurity expertise, if any, of their board members. Notably, however, the final version of the rules did away with this requirement, with the SEC stating: “We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.”
Public companies (other than smaller reporting companies) must comply with the new Form 8-K cybersecurity incident reporting requirements starting the later of 90 days following publication in the Federal Register and December 18, 2023. The annual disclosures will be due starting with annual reports for fiscal years ending on or after December 15, 2023, which would be the Form 10-K for 2023 (filed in 2024) for companies with a calendar year end. All public companies should assess the potential impact of the modified rules and review their current cybersecurity-related policies and procedures.