On December 14, 2023, Erik Gerding, Director, Division of Corporation Finance at the Securities and Exchange Commission (“SEC”) gave a speech on the SEC’s final rules (the “Final Rule(s)”) regarding cybersecurity risk management, strategy, governance and incident reporting for public companies. The Final Rules require public companies to disclose material cybersecurity incidents they experience on a near real-time basis on Form 8-K and material information regarding their cybersecurity risk management, strategy, and governance on an annual basis in Form 10-K. The Final Rules are currently effective with compliance with the material cybersecurity incident disclosure requirements generally required after December 18, 2023.

Mr. Gerding explained that the SEC staff considered the comment letters it received related to the proposed rule as it evaluated what changes to make in the Final Rule, all with the goal of developing rules that advance the SEC’s aim to protect investors and facilitate capital formation. Mr. Gerding’s speech went on to address the following topics:

• An overview of the Final Rule and its rationale;
• The cybersecurity incident disclosure provision;
• The national security and public safety delay provision;
• The risk management, strategy, and governance disclosure provisions; and
• Next steps.

Overview of the Final Rule and its rationale

Disclosure practices have been inconsistent regarding material cybersecurity incidents and cybersecurity risk management and governance. The Final Rules are intended to provide investors with the timely, consistent, comparable, and decision-useful information that they need to make informed investment and voting decisions.

Mr. Gerding noted that cybersecurity risks have become more prevalent and expressed his view that emerging technologies like artificial intelligence could have a dual impact—enabling public companies to better defend against cybersecurity threats while at the same time allowing threat actors to mount more sophisticated attacks. He went on to say that the SEC further observes that that the costs incurred by public companies, and thereby borne by their investors, in connection with cybersecurity incidents has increased. Together, these trends underscore the need for companies to provide their investors with additional disclosure related to cybersecurity risks and incidents, as mandated by the Final Rules.

Mr. Gerding noted that the Final Rules are not meant to force public companies to follow prescribed methods of managing cybersecurity risk, governance or strategy. Instead, pursuant to the Final Rules, public companies are empowered to manage cybersecurity risks and threats in light of their own circumstances. The two-pronged approach of the Final Rules—requiring public companies to disclose certain key details regarding material cybersecurity incidents within four business days of the public company’s determination that it has experienced a material cybersecurity incident and annual disclosure of a public company’s cybersecurity risk assessment processes and the respective roles of its board of directors and management in overseeing and managing cybersecurity threats— are meant to provide investors with consistent and comparable disclosures across issuers so that they are able to more easily evaluate issuers’ ability to address their cybersecurity risks and threats.

The cybersecurity incident disclosure provision

In explaining the Final Rules’ cybersecurity incident disclosure provision, Mr. Gerding outlined three questions with answers to each of them summarized in the following subsections.

What must be disclosed?

The cybersecurity incident disclosure provision requires public companies to disclose material cybersecurity incidents and to describe the material aspects of the nature, scope, and timing of the incident along with the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. In light of the compliance costs to companies and to not detract from their ability to respond to and remediate the impacts of cybersecurity incidents, this aspect of the Final Rule represents a pulling back from the approach outlined in the proposed rule, which would have required additional details not limited by materiality. Furthermore, in an effort to balance the need for disclosure with the risk that specific technical information could provide a roadmap for threat actors to exploit in future cyber-attacks, the Final Rules specifically instruct that issuers:

“[N]eed not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

When must it be disclosed?

In line with the deadline for other Form 8-K disclosures, to comply with the cybersecurity incident disclosure provision, public companies must provide the required disclosure within four business days after the company determines an incident is material. Mr. Gerding notes that the SEC specifically chose the disclosure trigger to be determination of materiality rather than the incident’s occurrence in order to provide public companies with sufficient time to make an informed materiality determination. Upon becoming aware of a cybersecurity incident, public companies may alert similarly situated companies and government actors at any point so long as the company does not unreasonably hold up its internal processes for determining materiality.

Why use a materiality standard?

According to Mr. Gerding, there was a call for a more defined approach rather than the adoption of a materiality standard as it relates to cybersecurity incident disclosures. However, Mr. Gerding pointed out how materiality is a “touchstone of securities laws” often being employed to strike the appropriate balance of disclosure to investors. With respect to cybersecurity incident disclosure, Mr. Gerding notes that employing a materiality standard makes sense considering some companies may experience cyber-attacks frequently.

Mr. Gerding reiterated the SEC’s guidance that the materiality standard applicable to the cybersecurity incident disclosure provision is the standard securities law approach (i.e., that is set forth in TSC Industries, Inc. v. Northway, Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano and in other SEC rulemaking).

The national security and public safety delay provision

The Final Rules enable issuers to delay reporting of a cybersecurity incident where reporting would pose substantial risk to national security or public safety. This delayed reporting is contingent on written notification by the Attorney General, as informed by other Federal or other law enforcement agencies’ findings, if applicable. Mr. Gerding notes that the Department of Justice (“DOJ”) has put out guidelines on how companies should go about seeking a delay and the procedures the Attorney General will use to determine whether a delay should be permitted. Under the guidelines, Federal Bureau of Investigation (“FBI”) field offices serve as primary points of contact for companies seeking a delay.

Mr. Gerding also pointed out that in the Division of Corporation Finance’s recent compliance and disclosure interpretation (“C&DI”) related to the Final Rules, it is clarified that merely engaging with the Attorney General regarding the availability of the delay provision does not necessitate a finding that a cybersecurity incident was material. Accordingly, he notes that companies should not be deterred from engaging with law enforcement or national security agencies regarding cybersecurity incidents. In addition, the applicable C&DI points out that issuers are free to consult with the DOJ, FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding an incident, including before a materiality determination is made. Mr. Gerding then explains that engaging with these entities in a timely fashion could guide a public company’s determination as to whether it would be appropriate to seek a delay from the DOJ.

The risk management, strategy, and governance disclosure provisions

The Final Rules also require that public companies make annual disclosures about their cybersecurity risk management, strategy, and governance. Again, Mr. Gerding points out that the Final Rules represent a step-back from the level of disclosure initially proposed to “avoid being overly prescriptive” and to limit the information threat actors could use against a company and its investors. Accordingly, to combat concerns that if public companies were required to disclose if any of their directors had cybersecurity expertise, companies would be forced to nominate a cybersecurity expert for membership on the board, that requirement was dropped in the Final Rules in favor of a more high-level approach. On the other hand, the Final Rule requires disclosures regarding management’s role in assessing and managing material risks from cybersecurity threats, including, as applicable, whether and which management positions or committees are responsible for cybersecurity threats, and their relevant expertise.

Next steps and closing remarks

In ensuring compliance with the Final Rules, Mr. Gerding explains that the SEC recognizes that, for public companies, this may involve conversations among companies’ internal team members responsible for securities law compliance. In addition, Mr. Gerding encourages public companies to speak with the Division of Corporation Finance about their questions on the Final Rules. He notes that the Division of Corporation Finance is hard at work preparing for the first year of disclosure under the Final Rules and that the Division is not aiming to make “’gotcha’ comments or penalize foot faults.” Rather, it will issue additional C&DIs or other guidance, as appropriate to ease issuers’ compliance with the Final Rules. He specifically states, “I recognize the value of creating incentives for good faith efforts to comply with new rules, and I hope this message and our Division’s track record with respect to…other rules provides reassurance to companies and their advisers, particularly in the first year of effectiveness for this rule.” Mr. Gerding ended the speech by underscoring the SEC’s intent in adopting the Final Rules—to provide investors with consistent, comparable and useful information—not to rule make for the sake of rulemaking or to elicit boilerplate disclosure.