As a significant step in its ongoing initiatives on the disclosure, management, and oversight of cybersecurity risks and incidents, on July 26, 2023, the US Securities and Exchange Commission (SEC or Commission) adopted rules requiring registrants to disclose material cybersecurity incidents and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.
The Commission made a number of notable changes from the proposing release, including the following:
- The SEC removed the proposed requirements to identify individual board of director members with expertise in cybersecurity matters and to disclose their qualifications and experience in Form 10-K annual reports and proxy and information statements on Schedules 14A and 14C (but retained the requirement to identify relevant expertise of cybersecurity management).
- The final rules also exclude a proposed requirement that companies disclose in Form 10-Q and Form 10-K reports of any material changes or updates (including "any potential future impacts" on the company's operations and financial condition) to a company's Form 8-K disclosure of a cybersecurity incident. Instead, companies are obligated to provide updated incident disclosures in a Form 8-K amendment.
- The final rules also introduced a (very narrow) extension of the Form 8-K 4-day disclosure requirement where the US Attorney General determines the disclosure would pose a substantial risk to national security or public safety.
The new rules will require the following:
- New Form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations. Registrants must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K within four business days of such determination.1Registrants will also be required to file an amendment to its Form 8-K filing where certain required information was not available at the time of the initial filing. Amendments must be filed within four business days (i) of determining such information or (ii) after such information becomes available.
- New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
- Form 6-K will be amended to require foreign private issuers (FPIs) to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.
- With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline extensible Reporting Language (Inline XBRL) beginning one year after initial compliance with the related disclosure requirement
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. See the table below for relevant compliance dates and disclosure requirements.
Compliance Date |
Applicable Entities |
Disclosure Requirement |
Annual report for fiscal year ending on or after December 15, 2023 |
All registrants |
Cybersecurity risk management, strategy and governance disclosure requirements pursuant to Regulation S-K Item 106 and the comparable requirements in Form 20-F |
Later of 90 days after the date of publication in the Federal Register or December 18, 2023 |
Companies other than smaller reporting companies |
Incident disclosure requirements in Form 8-K Item 1.05 and in Form 6-K |
Later of 270 days after the date of publication in the Federal Register or June 15, 2024 |
Smaller reporting companies |
Incident disclosure requirements in Form 8-K Item 1.05 |
One year after the initial compliance with related disclosure requirement |
All registrants |
All companies must tag disclosures required under the final rules in Inline XBRL |
Background
The new rules, first proposed for comment in March 2022, are the latest aspect of the SEC's increased focus on the management and disclosure of cybersecurity risks and incidents that began more than a decade ago.
The SEC Division of Corporation Finance staff published CF Disclosure Guidance: Topic No. 2 – Cybersecurity in October 2011. In February 2018, the SEC published its Commission Statement and Guidance on Public Company Cybersecurity Disclosure, described in an earlier Goodwin alert. More recently, the SEC's focus on cyber-related issues has appeared in many forms. For example, SEC Chair Gensler and other senior SEC staff have made numerous speeches and statements on the importance of cyber-related matters and the SEC's regulatory agenda. In February 2022, the SEC proposed a package of new rules and amendments to enhance cybersecurity preparedness and improve cyber resilience of investment advisers and investment companies against cybersecurity threats and attacks. In March 2023, the SEC proposed new rules applicable to broker-dealers, transfer agents, and other key financial market participants that would require enhanced disclosures about cybersecurity risks and significant cybersecurity incidents, as described in an earlier Goodwin alert.
Addressing cyber-related matters in other ways, the SEC Division of Enforcement has taken enforcement action in a variety of cases since June 2021, including cases in which it (1) imposed a $1 million penalty on a public company based on charges that the company misled investors about a 2018 cyber intrusion and failed to maintain disclosure controls and procedures that complied with SEC rules; (2) imposed a $487,000 penalty based on charges that the company failed to maintain adequate DCP for cybersecurity risks and incidents; (3) sanctioned eight firms that were registered with the SEC as investment advisors and/or broker-dealers for cybersecurity policies and procedures failures; and, (4) filed charges against several prominent brokerage firms for failure to protect the personally identifiable information of their customers or to maintain adequate programs to protect against identity theft.
The SEC's drivers for promulgation of the newly-adopted rules include greater digitalization of companies' operations, prevalence of remote work (due in part to the COVID-19 pandemic), ability of criminals to monetize cybersecurity incidents (such as through ransomware), growth of digital payments, and increasing reliance on third-party service providers for information technology services, including cloud computing technology.
To address this environment, the SEC's stated goals are to drive (1) more timely and consistent disclosure about material cybersecurity incidents because of the potential impact of incidents on the financial performance or position of a company and (2) greater availability and comparability of disclosure by public companies across industries regarding their cybersecurity risk management, strategy, and governance practices in order to better assess whether and how companies are managing cybersecurity risks.
Summary of the New Rules
The new rules adopted by the SEC significantly expand and accelerate disclosure of cybersecurity risks, cybersecurity incidents, and the board and management-level governance structures and controls and procedures that companies rely on to manage and oversee cybersecurity risks and incidents. The following table summarizes the requirements the Commission adopted:
Item |
Summary Description of the Disclosure Requirement |
Regulation S-K Item 106(a) |
The Commission adopted definitions for "cybersecurity incident," "cybersecurity threat," and "information systems" largely as proposed. Accordingly, the definitions are as follows:
|
Regulation S-K Item 106(b) – Risk management and strategy |
Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. The enumerated elements that a registrant should address in its Item 106(b) disclosure, as applicable, are:
|
Regulation S-K Item 106(c) – Governance |
Registrants must:
|
Form 8-K Item 1.05 – Material Cybersecurity Incidents |
The Commission streamlined Item 1.05 (from the proposed rules) to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on requiring underlying details of the incident itself. Registrants must disclose any cybersecurity incident that is determined to be material, and describe the material aspects of its:
An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing if the US Attorney General determines such disclosure would pose a substantial risk to national security or public safety. Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing within four business days after determining such information or within four business days after such information becomes available. The rule's inclusion of "financial condition and results of operations" is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. Further, the SEC noted that whether an incident is material is not contingent on where the relevant electronic systems reside or who owns them. Instruction 4 to Item 1.05 provides that a "registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident." As proposed, the Commission added Item 1.05 to the list of Form 8-K items in General Instruction I.A.3.(b) of Form S-3 , so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. The final rules require an Item 1.05 Form 8-K to be filed (not furnished). |
Form 20-F |
FPIs must:
|
Form 6-K |
FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders. |
Structured Data Requirement
The Commission adopted the structured data requirements as
proposed, with a staggered compliance date of one year. Registrants
are required to tag the new disclosures in Inline XBRL, including
by block text tagging narrative disclosures and detail tagging
quantitative amounts. The Commission explained that the structured
data requirements would make the disclosures more accessible to
investors and other market participants and facilitate more
efficient analysis.
As the SEC noted, Inline XBRL tagging will enable automated extraction and analysis of the information required by the final rules, allowing investors and other market participants to more efficiently identify responsive disclosure, as well as perform large-scale analysis and comparison of this information across registrants. The Inline XBRL requirement will also enable automatic comparison of tagged disclosures against prior periods.
Applicability to Certain Issuers
Asset-Backed Issuers: The Commission exempted
asset-backed securities issuers from the final rules.2
- Smaller Reporting Companies: Consistent with the proposal, the Commission declined to exempt smaller reporting companies. The SEC noted that the streamlined requirements of the final rules will help reduce some of the costs associated with the proposal for all registrants, including smaller reporting companies. Also, the Commission did not believe that an additional compliance period is needed for smaller reporting companies with respect to Item 106, as this information is factual in nature regarding a registrant's existing cybersecurity strategy, risk management, and governance. Finally, given the significant cybersecurity risks smaller reporting companies face and the outsized impacts that cybersecurity incidents may have on their businesses, the Commission believed that smaller reporting companies' investors need access to timely disclosure on material cybersecurity incidents and the material aspects of their cybersecurity risk management and governance.
Footnotes
1 The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. If the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.
2 See General Instruction G to Form 8-K, and General Instruction J to Form 10-K.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.