Come December 2023, public companies will have a very narrow window to report cybersecurity incidents that materially affect their companies. Companies will also have to report annually how they assess and manage cybersecurity threats at the Board and management levels.
The Securities and Exchange Commission (SEC) voted on Wednesday, July 26, 2023, 3-2 along party lines, to adopt rules that require registrants to disclose on a new Item 1.05 of Form 8-K any “material” cybersecurity incidents, within four days after registrants determine any such incident to be material. Registrants must also disclose the nature, scope and timing of the incident, and its material or reasonably likely material impact on the registrant. Foreign private issuers must file Form 6-K to report material cybersecurity incidents.
The Final Rules in a Nutshell
The Final Rules (accessible here and summarized in the SEC’s accompanying fact sheet) largely track the proposed rules that the SEC had put forward in March 2022, but contain many important changes. In general terms, the Final Rules require registrants to:
- Disclose in Item 1.05 on Form 8-K “any cybersecurity incident they determine to be material” and to “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.”
- Determine the “materiality of an incident without unreasonable delay following discovery and, if the incident is determined [to be] material, file an Item 1.05 Form 8-K generally within four business days of such determination.” (Emphasis added.)
- Describe, under Regulation S-K Item 106, the processes by which registrants assess, identify and manage material risks from cybersecurity threats, as well as “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.”
- Describe, under Regulation S-K Item 106, the “board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
The new four-day disclosure period may only be delayed if the United States Attorney General—not the registrant—believes that immediate disclosure would pose a substantial risk to national security or public safety.
In addition to ad hoc disclosures of material incidents, starting in December, public companies will now also have to include yearly information on their 10-K annual reports about the processes by which they assess, identify and manage material risks from cybersecurity threats. Registrants’ yearly disclosures must also include the material, or reasonably likely material, effects that cybersecurity threats and incidents pose for those registrants. In their 10-K filings, registrants must also describe their board’s oversight of risks from cybersecurity threats, and their management’s role and expertise in assessing and managing material risks from cyber threats. Foreign private issuers must file Form 20-F to report annually their cybersecurity risk governance and management.
Form 10-K and 20-F annual disclosures will be due beginning with the companies’ annual reports for fiscal years ending on or after December 15, 2023.
What to Do Now
To prepare for these fourth quarter 2023 compliance dates, companies should review and update their cybersecurity policies and procedures and incident management protocols. Issuers should also consider enhanced incident response training to raise awareness of the disclosure timelines. Additionally, companies should discuss how they plan to determine the materiality of a cybersecurity incident.
Assessing Materiality Following a Cybersecurity Incident
The final rule only requires disclosure of cybersecurity incidents that are “material” under the federal securities laws, i.e., where there exists a “‘substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’” This materiality standard remains unchanged. However, the final rule now requires that the determination must occur without “unreasonable delay” (which is a slight softening from the proposed rule’s “as soon as reasonably practicable” timeframe).
The SEC has previously noted that materiality assessments should consider both qualitative and quantitative factors and that this assessment should be holistic and not mechanical. The SEC, however, has otherwise declined to provide further guidance on the threshold for “materiality” in the context of cybersecurity incidents, despite numerous comments requesting such direction.
The few public SEC investigations or enforcement actions related to cybersecurity disclosures to date, however, provide some direction and collectively show that the SEC may consider a variety of factors when assessing the materiality of a cybersecurity incident in hindsight, including the volume and sensitivity of the data impacted, how the threat actor entered the system, whether data was exfiltrated or just accessed, and how long the threat actor was in the system. If there are business or operational disruptions caused by a cybersecurity incident, the materiality analysis might include various additional factors, such as which systems were disrupted, and in particular, whether the company’s financial systems were impacted; the length of time that systems were interrupted; whether any backup systems exist or could be implemented; and potential loss of revenue or other financial impact caused by the disruption.
Disclosure of a Company’s Cybersecurity Risk Management, Strategy, and Governance
Under the adopted rule amendments, companies must describe their “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes” in their Form 10-K / 20-F filings. Importantly, “cybersecurity threat” is defined as any potential unauthorized occurrence on or conducted through a company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a company’s information systems or any information residing in them. This may incentivize all companies providing information systems as a service to strengthen their know your customer policies.
Additionally, companies must discuss how their cybersecurity processes have been integrated into overall risk management processes, whether the company engages third parties in connection with its cybersecurity risk management processes, and if so, whether the company has a risk management process associated with its third-party service providers.
Companies will be required to disclose their processes for assessing, identifying, and managing material cybersecurity threats, and the material impacts of those threats in their Form 10-K.
Additionally, companies will be required to describe the board’s oversight of risks from cybersecurity threats, identify the board committees responsible for overseeing cybersecurity risks, and describe the processes by which the board is informed of cybersecurity risks.
The SEC clarified that this list of disclosures is not exhaustive, and companies should disclose the information necessary for a reasonable investor to understand their cybersecurity processes.
RSLG’s Cybersecurity Capabilities
RSLG’s team provides clients with strategic counseling to boards, financial institutions, management teams and various regulated entities on a broad range of cybersecurity and securities-related issues and strategies in light of SEC rulemaking.