On July 26, 2023, the US Securities and Exchange Commission (SEC) released final rules requiring disclosure by public companies of material cybersecurity incidents and policies and procedures related to cybersecurity risk management, strategy, and governance (Cybersecurity Rules).¹ The Cybersecurity Rules create new disclosure obligations for public companies subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, including business development companies (BDCs) and foreign private issuers (FPIs).² New disclosure obligations include:

• disclosure of cybersecurity incidents³ that detail the nature, scope, timing, and impact of such incidents; and
• disclosure of a registrant’s risk management, strategy, and governance regarding cybersecurity risks, including the board of directors’ oversight of cybersecurity risks and the impact of any such risks on its business strategy, results of operations and financial condition.

In discussing the motivation for the Cybersecurity Rules, the SEC highlighted that a number of trends have increased the need for investor access to timely and reliable information related to registrants’ cybersecurity. The SEC emphasized that there continues to be a growing number of cybersecurity incidents and threats, including as a result of remote work environments, reliance on third-party service providers for information technology services, and the monetization of cyberattacks, and that the adverse effects of such incidents are not uniformly disclosed, if at all.

Regardless of industry, the Cybersecurity Rules will require registrants to evaluate their current cybersecurity risk management practices. Given the short compliance timeline, registrants should begin evaluating whether their current cybersecurity policies and procedures, if any, account for the disclosure items contemplated by the Cybersecurity Rules.

Disclosure of Cybersecurity Incidents on Current Reports

As part of the SEC’s objective to create more uniform reporting requirements, the Cybersecurity Rules amend Form 8-K to add new Item 1.05 (Item 1.05), which requires registrants to promptly disclose material cybersecurity incidents. Item 1.05 requires a registrant to describe the material aspects of a cybersecurity incident, including:

• the nature, scope, and timing of the incident; and
• the impact or reasonably likely impact, including on the registrant’s financial condition and results of operations, of the incident.

The trigger date for Item 1.05 is the date that the registrant determines an incident was material, without unreasonable delay, at which point the registrant must generally file a Current Report on Form 8-K within four days. Failure to timely file a Current Report on Form 8-K triggered by Item 1.05 will not result in the loss of Form S-3 eligibility.⁴ Item 1.05 does not specify who is required to perform the materiality determination of a cybersecurity incident. Rather, the adopting release of the Cybersecurity Rules (the Adopting Release) explicitly notes that the registrant may establish a policy tasking one or more persons, including the board of directors, a committee of the board of directors, or one or more officers, to make the materiality determination.⁵

To ensure that registrants are able to adequately remedy cybersecurity incidents, Item 1.05 acknowledges that some information pertaining to such an incident may require discretion. Accordingly, Instruction 4 to Item 1.05 explicitly notes that the disclosure does not need to include technical information about the registrant’s planned response or its cybersecurity systems in such detail that it would impede the registrant’s response.⁶

In addition to the initial filing, Item 1.05 also includes an affirmative obligation to provide additional information as the cybersecurity incident develops to the extent required information was not available or could not be determined at the time of filing. Where the required information is not available, the registrant must undertake to file an amendment containing such information within four days of the new information being determined or becoming available.⁷

The Adopting Release also acknowledge that registrants may be impacted when third-party service providers experience cybersecurity incidents. Under those circumstances, the Cybersecurity Rules do not exempt registrants from providing disclosure relating to cybersecurity incidents of third-parties, but rather explicitly contemplate that such an incident may be material to the registrant. As part of its justification, the SEC acknowledges that even though registrants have less control over third-party systems, the SEC “do[es] not believe a reasonable investor would view a significant breach of a registrant’s data as immaterial merely because the data were housed on a third-party system.”⁸

Notwithstanding the requirements of Item 1.05, a registrant may delay disclosing a cybersecurity incident for up to 30 days if the United States Attorney General determines that such disclosure poses a substantial risk to national security or public safety, and notifies the SEC of such determination in writing. Disclosure may be delayed for additional periods, subject to the United States Attorney General’s determination, if certain conditions are met. The delayed reporting requirement does not relieve a registrant of its obligations under Regulation FD or insider trading prohibitions.⁹

Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks

Additionally, the Cybersecurity Rules add new Item 106 to Regulation S-K (Item 106), which the SEC believes will create more consistent and informative disclosure regarding cybersecurity risk management in registrants’ annual reports. Currently, the federal securities laws do not provide specific disclosure requirements relating to the oversight of cybersecurity risks. The SEC believes that the current disclosure regime allows for selective and incomplete disclosure, whereas a uniform reporting requirement will help investors adequately evaluate and compare registrants. The disclosure required by Item 106 will be included in a registrant’s Annual Report on Form 10-K, and can be incorporated by reference.¹⁰

Risk Management and Strategy (Item 106(b))

First, Item 106(b) will require a description of the registrant’s process for evaluating material cybersecurity risks.¹¹ This includes a description of the registrant’s policies and procedures for assessing, identifying and managing cybersecurity threats.¹² In evaluating the registrant’s policies and procedures for managing cybersecurity threats, Item 106(b) provides the following non-exhaustive list of considerations:

• whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
• whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
• whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

As part of its evaluation, the registrant will also need to describe whether any risks of cybersecurity threats, including those caused by previous cybersecurity incidents, have impacted its business strategy, results of operations, or financial condition.

Governance (Item 106(c))

Item 106(c) also requires a description of what role the board of directors and management play in the registrant’s cybersecurity risk management. Specifically, the registrant must describe how the board of directors oversees cybersecurity risks, including whether that responsibility is delegated to a committee of the board of directors. In particular, Item 106(c) requires identifying how the board of directors is informed of such risks. As an example, the Adopting Release identifies that one way for the board of directors to be informed is through periodic presentations by the registrant’s management.

Additionally, the registrant must describe management’s role in assessing and managing material risks from cybersecurity threats. As part of its disclosure, the registrant should consider the following when evaluating management’s role:

• whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

When identifying cybersecurity risks, the Adopting Release emphasizes that management should focus on risks that are material to the registrant, and that Item 106(c) intentionally does not include a non-exhaustive list of examples to avoid the perception of prescribing cybersecurity policy.¹³ Even though Item 106(c) does not specify what risks may be considered material, the Adopting Release provides certain examples, including the following: intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.

Foreign Private Issuers

The Cybersecurity Rules also amend the disclosure obligations for FPIs in a parallel manner. For the current reporting obligations of FPIs, Form 6-K is amended to require disclosure relating to material cybersecurity incidents that such registrant would be required to disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders. Similarly, Form 20-F is amended to include Part II Item 16K in an FPI’s annual report, which is substantially similar to the reporting obligations of Item 106.

Compliance

The Cybersecurity Rules will become effective 30 days after the date of publication in the Federal Register. Public companies must comply with the disclosure requirements in Item 106 beginning with the annual report on Form 10-K or 20-F, as applicable, for the fiscal year ending December 15, 2023, or later. Public companies must report cybersecurity incidents on Form 8-K or 6-K under Item 1.05 beginning on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K or Form 6-K disclosure. All registrants must tag disclosures required under the Cybersecurity Rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Potential Next Steps

In particular, registrants should consider the following in anticipation of compliance with the Cybersecurity Rules:

• registrants should be able to demonstrate a clear process for determining the materiality of cybersecurity incidents and related risks, including who will make such determination and whether the incident may constitute a threat to national security or public safety that would qualify for the reporting delay exception;
• registrants should evaluate whether their policies and procedures adequately describe the role of their board of directors and management in overseeing cybersecurity risks, and whether the board of directors is adequately informed of such risks;
• registrants should evaluate their oversight and monitoring of third-party service providers to ensure that they are able to adequately determine the materiality of cybersecurity incidents experienced by third-party systems;
• finally, registrants should consider re-assessing their overall capabilities for regulatory (as well as individual) notifications. Such quick public disclosures will put a further premium on ensuring timely, consistent and coordinated communications in the event of a material cybersecurity event.

________

[View source.]