On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted final rules, rule amendments and form amendments to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The final rules largely mirror the SEC’s proposed rules issued on March 9, 2022. By a 3-2 vote, the SEC adopted the final rules in response to what they believe is the prevalence of cybersecurity risk and lack of transparent and consistent disclosure regarding such cybersecurity risks. The SEC noted the fact that approximately 83% of organizations have had at least one data breach, costing the U.S. trillions of dollars, with each breach costing companies an average of $9.4 million. The final rules are intended to create a uniform and comprehensive disclosure system for investors to timely and adequately understand a company’s material cybersecurity incidents.

The final rules require current reporting about material cybersecurity incidents. The amendments also require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risk, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

Incident Reporting on Form 8-K

The final rules add a new Item 1.05 to Form 8-K requiring disclosure of any cybersecurity incident a company determines to be material within four business days thereof. The trigger date for the disclosure requirement is the date of the materiality determination, rather than the date of discovery of the incident. Required disclosure includes:

• the material aspects of the nature, scope and timing of the incident; and
• the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operation.

The final rules add a requirement that the company must determine the materiality of an incident without unreasonable delay following discovery. An exemption was also added permitting delayed disclosure if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. The Commission will consider additional requests for delay on a case-by-case basis.

An instruction will also be added to Item 1.05 of Form 8-K providing that companies do not need to disclose specific or technical information about their planned response or cybersecurity systems, networks and devices, or potential system vulnerabilities in such detail if it would impede their response or remediation of the incident.

The SEC clarified that an untimely Item 1.05 Form 8-K would not result in the loss of Form S-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability.

Periodic Reporting of Cybersecurity Incidents and Company Processes and Oversight

The final rules add a new Item 106 of Regulation S-K requiring disclosure of company processes, if any, for assessing, identifying, and managing material risk from cybersecurity threats, as well as whether any risks, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. New Item 106 requires disclosure of the board’s oversight of risks from cybersecurity threats and to the extent applicable, any board committee responsible for such oversight.

Form 10-K has been amended to add Item 1C to Part I to include the information required by new Item 106 of Regulation S-K.

The final rules did not adopt the proposal to disclose cybersecurity expertise of directors of companies.

Compliance Dates

Compliance with the incident disclosure requirements in Item 1.05 of Form 8-K is required by the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023.

Compliance with the periodic disclosure requirements in Item 106 of Regulation S-K is required beginning with annual reports for fiscal years ending on or after December 15, 2023.

Smaller reporting companies have an additional 180 days and must being complying with Item 1.05 of Form 8-K on the later of 270 days from the effective date of the rules or June 15, 2024.

Compliance with the structured data requirements mandating Inline XBRL is required one year after initial compliance with the related disclosure requirement.