August 1, 2023

SEC Adopts Rules for Cybersecurity Disclosures

+ Follow Contact

Send

Embed

On July 26, 2023, the Securities and Exchange Commission (SEC) adopted rules imposing significant new disclosure requirements regarding cybersecurity risk management, strategy and governance and incident reporting by public companies. The purpose of the new rules is to improve investors’ understanding of a company’s exposure to cybersecurity incidents and its ability to manage and mitigate cybersecurity risks.

The new rules require companies to (i) disclose information about material cybersecurity incidents within four business days of determining that the incident is material, (ii) make annual disclosures about the company’s processes to assess, identify, and manage cybersecurity risks, and (iii) present cybersecurity disclosures in XBRL. While the new rules do not impose an obligation to adopt new cybersecurity policies, companies will have to adapt quickly to make meaningful disclosures starting in December 2023.

What are the new disclosure requirements?

1. Disclosure of Cybersecurity Incidents on Current Reports

The new rules require companies to disclose any cybersecurity incident that is determined to be material, and describe the material aspects of the incident’s nature, scope, and timing; and the incident’s impact or reasonably likely impact on the company. “Cybersecurity incident” is defined broadly and includes an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.

When and how to make the disclosure: The disclosure must be made under new Item 1.05 of Form 8-K (and for foreign private issuers in Form 6-Ks) within four business days of determining that an incident was material. The materiality determination may be later than four business days after the incident itself, but the rules require that the determination be made "as soon as reasonably practicable after discovery of the incident." This means that companies may have to make the determination and the disclosure while the incident investigation and/or the remediation of the incident are still ongoing.

The rules only allow for a limited exception that might rarely apply: the disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The rules also allow a delay in disclosure of up to seven days if a company is subject to certain rules of the Federal Communication Commission for breaches of customer proprietary network information, so long as the company notifies the SEC in correspondence submitted to the EDGAR system no later than the date when the disclosure required by new Item 1.05 was otherwise required to be provided.

How to make the materiality determination: The new rules do not specify how the materiality determination should be made. Rather, the SEC referred to the materiality definitions of the securities laws and related court decisions which provide that information is material if there is "a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered" or if it would have "significantly altered the 'total mix' of information made available."

What to include in the disclosure: The disclosure must include, to the extent known at the time of filing:

When the incident was discovered and whether it is ongoing;
A brief description of the nature and scope of the incident;
Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
The effect of the incident on the company’s operations; and
Whether the company has remediated or is currently remediating the incident.

In response to concerns expressed during the comment process on the proposed rules, the new rules do not require disclosures of specific, technical information about the company’s planned response to the incident or its cybersecurity systems and devices.

To address the relatively early disclosure requirement, the rules allow companies to state if certain information is not yet available. In that case, an amendment to the initial Form 8-K (and for foreign private issuers Form 6-K) must be filed once that information becomes available. An amendment must also be filed if the company realizes that the original filing was untrue or inaccurate.

2. Disclosure of the Company’s Risk Management, Strategy and Governance
Regarding Cybersecurity Risks

The second new disclosure obligation requires the disclosure of a company’s processes, if any, for cybersecurity risk management and strategy, and whether any incidents or risks from cybersecurity threats have or will likely affect the business strategy, results of operations, or financial condition. A "cybersecurity threat" includes any potential unauthorized occurrence on or conducted through a company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.

When and how to make the disclosure: The disclosure must be made in the company’s annual reports on Form 10-K (or Form 20-F for foreign private issuers).

What to include in the disclosure? The disclosure must include a description of the following:

Processes: The company’s processes (if any) for the assessment, identification, and management of material risks from cybersecurity threats. If applicable, the company will have to include "sufficient detail[s] for a reasonable investor to understand those processes, namely:
- Whether and how processes have been integrated into the company’s overall risk management system or processes;
- Whether the company engages consultants or other third parties in connection with cybersecurity risk processes; and
- Whether the company has processes to oversee and identify risks from cybersecurity threats associated with the use of any third-party service provider.
Incidents: Whether any incidents or risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition and, if so, how.
Management: Management’s role and expertise in assessing and managing material risks from cybersecurity threats, in particular:
- Whether and which management positions or committees are responsible;
- The relevant expertise of responsible persons or members;
- Processes by which management is informed and monitors cybersecurity; and
- Whether management reports to the board of directors.
Board of Directors: The board’s oversight and whether there is a board committee or subcommittee responsible for the oversight of risks from cybersecurity threats. Unlike the proposed rules, however, the final rules do not require a disclosure of the board’s or individual director’s cybersecurity expertise.

What are the Deadlines for Compliance?

The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. All companies must tag disclosures required under the rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

How should Companies Prepare for the New Disclosures?

With regard to the current incident reporting, companies need to implement or update their procedures so they can both adequately respond to the incident itself and make a timely materiality determination (as discussed above, this determination must be made as soon as possible after an incident). Companies will also have to update their disclosure controls and procedures to meet the short four business day deadline to file the Form 8-K (or 6-K).

With regard to the new annual disclosures, companies should evaluate and, if necessary, update their current policies and procedures related to cybersecurity. This may require adopting new policies and procedures, appointing new managers and directors to oversee cybersecurity-prevention processes, providing cybersecurity training to the responsible management (and directors), and implementing oversights of third-party service providers with regard to cybersecurity risks.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Sullivan & Worcester

Contact + Follow

Howard Berkenblit

+ Follow

Anna Lea Setz

+ Follow

less

Published In:

Corporate Governance

+ Follow

Cyber Attacks

+ Follow

Cyber Incident Reporting

+ Follow

Cybersecurity

+ Follow

Disclosure Requirements

+ Follow

Final Rules

+ Follow

Form 10-K

+ Follow

Form 8-K

+ Follow

Publicly-Traded Companies

+ Follow

Regulation S-K

+ Follow

Reporting Requirements

+ Follow

Risk Management

+ Follow

Securities and Exchange Commission (SEC)

+ Follow

XBRL Filing Requirements

+ Follow

Business Organization

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

Securities

+ Follow

less

Sullivan & Worcester on:

SEC Adopts Rules for Cybersecurity Disclosures

Latest Posts

Written by:

Published In:

Sullivan & Worcester on:

"My best business intelligence, in one easy email…"