On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.
A. Four (4) Business Day Reporting Requirement of “Material” Cybersecurity Incidents
Under the Final Rule, public companies are required to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident within four (4) business days of the “trigger” date when the company determines the incident to be “material.” A cybersecurity incident is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” An Item 1.05 disclosure must describe the nature, scope, and timing of the incident, and its material impact, or reasonably likely material impact, on the company. The registrant need not disclose, however, specific or technical information about the company’s planned response to the incident or details about its cybersecurity systems, related networks and devices, or potential system vulnerabilities that would impede the registrant’s response or remediation of the incident. Notably, there is no exception for reporting material incidents occurring on third party systems, including cloud-based services. Companies must make a materiality determination regarding a cybersecurity incident “without unreasonable delay.”
Unquestionably, the “materiality” of a cybersecurity incident will be subject to a fact-intensive determination in light of applicable legal standards. The SEC’s summary accompanying the Final Rule indicates that “materiality” should be based on the standard set out in the cases addressing materiality in securities laws and regulations, and that the SEC expects “registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces,” namely that “information is material if there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”
Despite receiving “a significant amount of feedback from commenters” after releasing the proposed version of the Final Rule, including concerns that these public cybersecurity incident disclosures could tip off the threat actor or draw attacks from other threat actors who were previously unaware of a vulnerability, the SEC ultimately did not remove the four (4) business day disclosure requirement in the Final Rule, although the agency did include a safety valve mechanism in the Final Rule to delay disclosure with approval from the United States Attorney General where such disclosure could put national security or public safety at substantial risk.
Because of the practical realities of investigating and remediating a cybersecurity incident, the SEC recognizes that companies may not know all of the pertinent details within four (4) business days of reporting a material cybersecurity incident. Thus, the Final Rule provides that companies may file amendments to its 8-K disclosure after identifying any information that is “not determined or is unavailable at the time of the [initial] filing,” within four (4) business days after such new information becomes available.
The SEC’s summary highlights the underpinnings of the Final Rule – namely, ever increasing dependence on electronic systems for economic activity and the negative economic impact of cyberattacks; rise in the frequency and scope of cyberattacks, propelled by remote work spurred by the COVID-19 pandemic and increased reliance on third party service providers; new types of cyber threats, including those from artificial intelligence; and the significant costs to companies associated with responding to and mitigating cyberattacks. The SEC also noted in its summary the Final Rule’s alignment with legislative trends to require earlier cybersecurity incident reporting, including the 72 hour time period for reporting covered cyber incidents and ransomware payments under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, subject to final rulemaking, which we have previously discussed in our blogs.
B. Periodic Disclosures of Cybersecurity Risk Processes and Governance
In addition to the cybersecurity incident reporting requirements, the Final Rule also adds Regulation S-K Items 106(b) and 106(c), which require public companies to describe in Form 10-Ks any information about cybersecurity risk management and, in Form 20-F, information about cybersecurity governance. As to risk management reporting, this includes describing, among other things: (i) the organizational processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats and (ii) whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition in sufficient detail for a reasonable investor to understand those processes. As to governance reporting, information provided must include the board of directors’ oversight of risks from cybersecurity threats, and management’s role in assessing and managing material risks from cybersecurity threats.
Notably, the SEC considered, but ultimately did not include in the Final Rule, a requirement to disclose a registrant’s board of directors’ cybersecurity expertise. After considering comments—including comments that such a requirement would “pressure companies to retain cybersecurity experts on their board,” the SEC concluded that “directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without subject matter expertise, as they do with other sophisticated technical matters.” And the SEC noted that this information may still be disclosed elsewhere, explaining that “a registrant that has determined that board-level expertise is a necessary component to the registrant’s cyber-risk management would likely provide that disclosure pursuant to Items 106(b) and (c).”
As described in the SEC’s Fact Sheet for the Final Rule, Form 10-K and Form 20-F periodic disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023, and the incident disclosure on Form 8-K will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later. “Smaller reporting companies” (as defined in SEC regulations) will have an additional 180 days before providing the Form 8-K disclosure.