On July 26, 2023, the Securities and Exchange Commission (the “SEC” or “Commission”) voted 3-2[1] to adopt new rules (“New Rules”) to enhance and standardize timely disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”). [2] The New Rules have added a new Item 1.05 on Form 8-K where registrants must disclose a material cybersecurity incident within four days of management’s determination that the incident is material, subject only to a narrow exception for national security issues. The New Rules also include updated cybersecurity risk management, strategy, and governance disclosure obligations in Forms 10-K and 10-Q, including disclosures regarding management’s role in assessing and managing risks from cybersecurity threats.
I. Background
The New Rules, originally proposed in March 2022[3] and discussed extensively in a previous Client Alert,[4] are the SEC’s first formally adopted rules addressing cybersecurity practices and disclosures of cybersecurity incidents for public companies. The New Rules build on previous SEC interpretive guidance regarding cybersecurity disclosures from 2011[5] and 2018,[6] as well as Regulation SCI’s specific requirements for Self-Regulating Organizations and Clearing Agencies.[7] While the SEC’s previously-issued guidance provided registrants with some insight regarding information that the SEC deemed material, the guidance did not create an express obligation to . Additionally, the SEC found that current cybersecurity disclosure practices too varied, making it difficult for investors to locate, interpret, and analyze the information registrants provided.[8] One of the SEC’s primary stated motivations for the New Rules is its belief that investors would benefit from more timely and consistent cybersecurity disclosures to make informed investment decisions. A statement released by Chair Gary Gensler on the same day that the New Rules were adopted explained his belief that under the New Rules, cybersecurity disclosures will be “more consistent, comparable and decision-useful.”[9]
II. Cybersecurity Incident Reporting Requirement
A. Four-Day Incident Reporting
The most notable aspect of the New Rules is a requirement that registrants disclose a material cybersecurity incident[10] within four days of management’s determination, without unreasonable delay in making that determination, that the incident is material.[11] Registrants will make these disclosures on the new Item 1.05 of Form 8-K, and should include in their disclosure all known material aspects of the incident, including: (1) the nature, scope, and timing of the incident; and (2) the incident’s impact or reasonably likely impact on the registrant, including its financial condition and results of operations.[12]
The Commission also clarified that a series of individually immaterial events, which become material in the aggregate, may trigger Item 1.05 reporting requirements,[13] as might incidents that occur on a third-party service provider’s systems.[14] Additionally, the Commission added an Instruction 4 to Item 1.05 to provide that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” Finally, to the extent information regarding a material cybersecurity incident is unavailable or not determined at the time of filing the initial Form 8-K, registrants are directed to identify these gaps on their initial Form 8-K and to subsequently update their initial filing after such information becomes available.[15]
The New Rules are slightly narrower in scope than those proposed in March 2022. For example, a registrant is no longer required to disclose information regarding cybersecurity incident remediation status, and “need not disclose specific or technical information about its planned response to the incident…”[16] Further, the determination of materiality, which prompts disclosure, must be made “without unreasonable delay” rather than “as soon as reasonably practicable.”[17] Finally, the Commission decided not to adopt proposed Items 106(d)(1)[18] and (2),[19] which required registrants to provide updated disclosures in periodic reporting regarding incidents previously disclosed pursuant to Item 1.05 of Form 8-K.[20]
B. The National Security Exception
The only exception to the four-day disclosure requirement included in the New Rules is for those instances where disclosure would present a substantial risk to national security or the public interest.[21] However, registrants may only rely on this exception with a written determination from the Attorney General to the Commission that such a substantial risk exists. Notably, this exception is only temporary; the Attorney General can delay disclosure for a period of time specified by the Attorney General, not to exceed 30 days, which, with further coordination between the Attorney General and the Commission, can be extended to 120 days.[22] Given the high standard to meet this threshold and the requirement to obtain a written determination from the Attorney General, use of this exception is likely to be extremely limited.
III. Updated 10-K and 10-Q Disclosure Requirements
A. Processes Disclosures
The New Rules also amend Regulation S-K, requiring new cybersecurity disclosures on Forms 10-K and 10-Q. Registrants will now be required to describe their “processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”[23] As with the new cybersecurity incident reporting requirements, the New Rules require registrants to make forward-looking disclosures on their periodic reports regarding whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.[24] Other disclosure requirements include:
- Whether and how the registrant’s cybersecurity processes have been integrated into its overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.[25]
Though the New Rules increase the disclosure burden on registrants, the New Rules were pared back from those originally proposed in March 2022. Notably, the Commission requires registrants to disclose “processes” for managing material cybersecurity risks rather than “policies and procedures” to alleviate concerns that disclosures would require registrants to divulge “the kinds of operational details that could be weaponized by threat actors.”[26] Additionally, a list of enumerated, nonexclusive disclosure elements was removed in response to comments asserting that such disclosures would require excessive granularity, which would advantage threat actors, in addition to being unnecessarily prescriptive.[27]
B. Governance Disclosures
Registrants will also be required to disclose internal governance structures designed to oversee cybersecurity risk. Specifically, registrants will have to disclose a description of the board’s oversight of material cybersecurity risks, and if applicable, identify any board committee or subcommittee responsible for such oversight, and describe the processes by which the board or such committee is informed about such risks.[28] Further, the New Rules direct, but do not require, registrants to consider disclosing the following as part of a description of management’s role in assessing and managing material cybersecurity risks:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.[29]
As with the disclosures concerning registrants’ cybersecurity risk management processes, the Commission made significant modifications in the adopted New Rules to requirements regarding governance oversight of a registrant’s cybersecurity risk. The requirements, implemented at Regulation S-K Item 106(c)(2), are less granular than originally proposed. The adopted New Rules removed requirements that registrants disclose the frequency of board discussions regarding cybersecurity and whether, and how, the Board integrates cybersecurity into its business strategy, risk management and financial oversight.[30] Notably, the SEC abandoned the requirement that registrants disclose the cybersecurity expertise of board members after being persuaded that cybersecurity process decisions are primarily designed and administered by management, rather than at the board level.[31]
The New Rules will also require parallel cybersecurity disclosure requirements from foreign private issuers in Forms 20-K and 6-K.[32]
C. Possible Challenges
Regardless of such efforts, the as-adopted New Rules were not without criticism. The New Rules were adopted by a 3-2 vote, with Commissioners Hester Peirce and Mark Uyeda issuing statements in dissent. Commissioner Peirce argued that the New Rules will be unnecessary and costly to companies.[33] She also expressed concern that the information may be more helpful to would-be hackers than investors. Commissioner Uyeda argued the New Rules elevated cybersecurity disclosures above those required for other risks and issues, “some of which may be more material to investors.”[34] He also stated that the New Rules, specifically the new Item 1.05 disclosures, “break new ground” by requiring “real-time, forward-looking disclosure.” Finally, Commissioner Uyeda stated the decision to not designate the New Rules as a “major rule” under the Small Business and Regulatory Enforcement Act was “not credible or supportable.”[35] By calling attention to specific aspects of the New Rules, the dissenting Commissioners may be providing a road map for would-be challengers.
IV. Key Takeaways and Next Steps
These New Rules make it imperative that all registrants have mature cybersecurity risk management processes, well integrated with company leadership. Not only must these processes be disclosed under the New Rules, but the four-day cybersecurity incident reporting requirement leaves little margin for error. Without strong cybersecurity risk management governance processes, including service provider and vendor oversight, it may be very difficult to comply with this narrow window. In addition, the extremely limited disclosure exception the New Rules provide indicates that the Commission expects registrants to disclose most material cybersecurity incidents. The SEC also has a proposal in the works to create new and revised cybersecurity requirements for investment funds, advisers, broker-dealers, market entities and others.[36] The Commission is taking cybersecurity seriously, and all companies regulated by the SEC should expect to be required to shore up their governance processes.
The New Rules will be effective 30 days after publication in the Federal Register, with targeted dates in mid-December 2023 for larger companies, and mid-June 2024 for smaller companies. Once the New Rules are in effect, registrants will be required to include updated disclosures under Item 106 of Regulation S-K, primarily affecting Forms 10-K and 10-Q, beginning with annual reports for fiscal years ending on or after December 15, 2023.[37]
Click here to download this article.
[1] For a discussion of Commissioners Hester Peirce and Mark Uyeda’s dissenting statements, See Infra Section III(C).
[2] U.S. Securities and Exchange Commission, Final Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release Nos. 33-11216; 34-97989; File No. S7-09-22 (Jul. 26, 2023), available here.
[3] See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22 (Mar. 9, 2022), available here.
[4] SEC Proposes Cybersecurity Rules, Willkie Client Alert (Mar. 15, 2022), available here.
[5] U.S. Securities and Exchange Commission, Division of Corporate Finance Disclosure Guidance: Topic No. 2 Cybersecurity (Oct. 13, 2011), available here.
[6] U.S. Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Exchange Act Release Nos. 33-10459; 34-82746 (Feb. 26, 2018), available here.
[7] See SEC Regulation Systems Compliance and Integrity, 17 C.F.R. §§ 240, 242, and 249 (2014), available here.
[8] Supra Note 2 at pp. 6—7.
[9] Press Release, U.S. Securities and Exchange Commission, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Jul. 26, 2023), available here.
[10] Cybersecurity Incident” as defined by the adopted New Rules means: “An unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Supra Note 2, at p. 76.
[11] Supra Note 2 at p. 37.
[12] Id. p. 29.
[13] Supra Note 2 at p. 53.
[14] Id. p. 78—79.
[15] Id. pp. 50—51.
[16] Id. p. 30.
[17] Id. p. 37.
[18] As proposed, Item 106(d)(1) would have required disclosure, in periodic reports, of the following: (1) Any material effect of the incident on the registrant’s operations and financial condition; (2) Any potential material future impacts on the registrant’s operations and financial condition; (3) Whether the registrant has remediated or is currently remediating the incident; and (4) Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes. Supra Note 2, at p. 46.
[19] As proposed, Item 106(d)(2) would have required disclosure in periodic reports when a registrant determines that a series of previously undisclosed but related immaterial cyberattacks amount to having a material effect: (1) A general description of when the incidents were discovered and whether they are ongoing; (2) A brief description of the nature and scope of the incidents; (3) Whether any data were stolen or altered in connection with the incidents; (4) The effect of the incidents on the registrant’s operations; and (5) Whether the registrant has remediated or is currently remediating the incidents. Supra Note 2, at p. 47.
[20] See Supra Section II(A) for a discussion of the requirement to file an amended Form 8-K to incidents disclosed pursuant to Item 1.05.
[21] Supra Note 2 at p. 11.
[22] Supra Note 2 at p. 34.
[23] Id. p. 61.
[24] Id. p. 29-30. The adopting release notes the rule’s inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. “Harm to a company’s reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.”
[25] Id. pp. 62—63.
[26] Supra Note 2 at p. 61.
[27] Id. p. 62.
[28] Id. pp. 68—69.
[29] Id. p. 70.
[30] Id. pp. 68—69.
[31] Id. pp. 83—85.
[32] Supra Note 2 at p. 87.
[33] Hester M. Peirce, Commissioner, U.S. Securities & Exchange Commission, Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Jul 26, 2023), available here.
[34] Mark T. Uyeda, Commissioner, U.S. Securities & Exchange Commission, Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Jul. 26, 2023), available here.
[35] Id.
[36] Press Release, U.S. Securities and Exchange Commission, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Feb. 9, 2022), available here.
[37] Supra Note 2 at p. 107.
