On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted final rules relating to enhanced cybersecurity disclosures, which became effective on September 5, 2023 (the “Final Rules”). The Final Rules apply to all registrants regardless of reporting status, including smaller reporting companies, emerging growth companies, and foreign private issuers.
For all registrants other than smaller reporting companies, the obligation to disclose a material cybersecurity incident on a Form 8-K (or Form 6-K) will begin on December 18, 2023. For smaller reporting companies, such obligation will begin on June 15, 2024. All registrants will be required to make cybersecurity risk management and oversight disclosures on their annual reports on either Form 10-K or Form 20-F, as applicable, for fiscal years ending on or after December 15, 2023. All disclosures must be tagged in iXBRL beginning one year after the initial compliance date for the related disclosure requirement.
Although the Final Rules require compliance within a relatively short timeframe, the SEC has in past years issued disclosure guidance for cybersecurity risks and incidents. In 2011, the SEC issued CF Disclosure Guidance: Topic No. 2 – Cybersecurity, which provided public companies with the SEC’s framework for how cybersecurity risks and incidents should be addressed in specific areas of disclosure, such as risk factors, MD&A, description of business, legal proceedings, financial statement disclosures, and disclosure controls and procedures. In 2018, the SEC published interpretive guidance (the “2018 Guidance”) to further assist public companies in preparing disclosures about cybersecurity risks and incidents. In the 2018 Guidance, the SEC emphasized the need to develop effective disclosure controls and procedures to ensure a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about cybersecurity risks and incidents that the company has faced or is likely to face. The SEC further noted in the 2018 Guidance that the prohibition on corporate insiders from trading a public company’s securities while in possession of material nonpublic information may include knowledge regarding a significant cybersecurity incident experienced by the company, and the company’s insider trading policies and procedures should protect against any such trading.
The Final Rules will require current reporting on Form 8-K, or Form 6-K for foreign private issuers, of “material” cybersecurity incidents and annual reporting on Form 10-K, or Form 20-F for foreign private issuers, of any existing processes to assess, identify, and manage cybersecurity risk; whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant; and the oversight of cybersecurity risk by the registrant’s board of directors and management’s role and expertise in assessing and managing material cybersecurity risk.
Material Cybersecurity Incident Disclosure
New Item 1.05 of Form 8-K requires disclosure within four business days if a registrant experiences a “cybersecurity incident” that is determined to be material. As per Instruction 1 to Item 1.05, the materiality determination regarding the incident must be made without unreasonable delay after discovery of the incident. The SEC noted that companies should consider qualitative factors alongside quantitative factors in assessing the materiality of an incident, such as harm to a company’s reputation, customer or vendor relationships, or competitiveness, or the possibility of litigation, or regulatory investigations or actions.
Required disclosure includes the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. A registrant is not required to disclose specific or technical information about its planned response to the cybersecurity incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede its response or remediation of the incident.
The SEC intended for the definition of “cybersecurity incident” to be broadly construed, and the definition includes not only an unauthorized occurrence but also a “series of related unauthorized occurrences” on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. The SEC noted that a series of related occurrences may collectively have a material impact or reasonably likely material impact and therefore trigger disclosure under Item 1.05, even if each individual occurrence on its own would not be material.
The test for determining whether a cybersecurity incident is material, thus triggering disclosure under new Item 1.05 of Form 8-K, is whether “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available”, which is consistent with the standard set out in cases addressing materiality in the securities laws (e.g., Basic Inc. v. Levinson). A registrant’s evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors, such as immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on.
The SEC did not exempt companies from providing disclosures regarding cybersecurity incidents on third-party systems used by companies and did not provide a safe harbor for information disclosed about third-party systems. However, the SEC noted that registrants should disclose based on the information available to them, and that the final rules generally do not require registrants to conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to contracts with such providers and in accordance with their disclosure controls and procedures.
There are two limited exceptions for when disclosure may be delayed. A registrant can delay making the requisite disclosure if the United States Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination. In this situation, the Department of Justice will notify the registrant that it has made such communication to the SEC, and the registrant may delay its filing of the Form 8-K for up to 30 days.
Also, a registrant subject to the Federal Communication Commission’s rule for notification of breaches of customer proprietary network information to the United States Secret Service (the “USSS”) and the Federal Bureau of Investigation (the “FBI”) may delay Item 1.05 disclosure on Form 8-K for a period of up to seven business days following timely notification to the USSS and the FBI as long as the registrant timely notifies the SEC.
To the extent any required information is not determined or is unavailable at the time of filing the Form 8-K, the registrant must include a statement to this effect and then file a Form 8-K amendment containing such information within four business days after it determines the information or such information becomes available.
Disclosure under Item 1.05 will be treated as “filed” instead of “furnished”; however, the untimely filing of an Item 1.05 Form 8-K will not result in the registrant’s loss of Form S-3 eligibility. Item 1.05 is also included in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) and Rule 10b-5 under the Securities Exchange Act of 1934, as amended.
General Instruction B to Form 6-K was amended to reference material cybersecurity incidents among the items that may trigger a report on Form 6-K for foreign private issuers.
Cybersecurity Risk Management, Strategy and Governance Disclosure
Companies will be required to disclose information regarding their cybersecurity risk management, strategy, and governance under a new “Item 1C. Cybersecurity” in Part I of Form 10-K pursuant to new Item 106 of Regulation S-K.
Risk Management and Strategy. Under new Item 106(b) of Regulation S-K, a company must disclose its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, companies should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
A company must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition, and, if so, how.
Governance Disclosures. Under new Item 106(c) of Regulation S-K, companies must describe its board of directors’ oversight of risks from cybersecurity threats. If applicable, a company must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.
Companies must also describe management’s role in assessing and managing the company’s material risks from cybersecurity threats. In providing such disclosure, companies should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Relevant expertise of management may include work experience in cybersecurity, any relevant degrees or certifications, or any knowledge, skills, or other background in cybersecurity.
Item 16K was added to Form 20-F to incorporate the same requirements for foreign private issuers as those set forth under Item 106 of Regulation S-K.
U.S. Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2 – Cybersecurity (October 13, 2011).
U.S. Securities and Exchange Commission, Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (February 26, 2018).
U.S. Securities and Exchange Commission, Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (July 26, 2023), at 29.
Id. at 76.
Id. at 80.
Id. at 30–31.