ARTICLE
31 July 2023

Although Scaled Back, The SEC's Newly Adopted Cybersecurity Disclosure Rule Will Require Significant Effort By Public Companies To Comply

GP
Goodwin Procter LLP

Contributor

At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
As a significant step in its ongoing initiatives on the disclosure, management, and oversight of cybersecurity risks and incidents, on July 26, 2023, the US Securities and Exchange Commission...
United States Technology

As a significant step in its ongoing initiatives on the disclosure, management, and oversight of cybersecurity risks and incidents, on July 26, 2023, the US Securities and Exchange Commission (SEC or Commission) adopted rules requiring registrants to disclose material cybersecurity incidents and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.

The Commission made a number of notable changes from the proposing release, including the following:

  • The SEC removed the proposed requirements to identify individual board of director members with expertise in cybersecurity matters and to disclose their qualifications and experience in Form 10-K annual reports and proxy and information statements on Schedules 14A and 14C (but retained the requirement to identify relevant expertise of cybersecurity management).
  • The final rules also exclude a proposed requirement that companies disclose in Form 10-Q and Form 10-K reports of any material changes or updates (including "any potential future impacts" on the company's operations and financial condition) to a company's Form 8-K disclosure of a cybersecurity incident. Instead, companies are obligated to provide updated incident disclosures in a Form 8-K amendment.
  • The final rules also introduced a (very narrow) extension of the Form 8-K 4-day disclosure requirement where the US Attorney General determines the disclosure would pose a substantial risk to national security or public safety.

The new rules will require the following:

  • New Form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations. Registrants must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K within four business days of such determination.1Registrants will also be required to file an amendment to its Form 8-K filing where certain required information was not available at the time of the initial filing. Amendments must be filed within four business days (i) of determining such information or (ii) after such information becomes available.
  • New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
  • Form 6-K will be amended to require foreign private issuers (FPIs) to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.
  • With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline extensible Reporting Language (Inline XBRL) beginning one year after initial compliance with the related disclosure requirement

The final rules will become effective 30 days following publication of the adopting release in the Federal Register. See the table below for relevant compliance dates and disclosure requirements.

Compliance Date

Applicable Entities

Disclosure Requirement

Annual report for fiscal year ending on or after December 15, 2023

All registrants

Cybersecurity risk management, strategy and governance disclosure requirements pursuant to Regulation S-K Item 106 and the comparable requirements in Form 20-F

Later of 90 days after the date of publication in the Federal Register or December 18, 2023

Companies other than smaller reporting companies

Incident disclosure requirements in Form 8-K Item 1.05 and in Form 6-K

Later of 270 days after the date of publication in the Federal Register or June 15, 2024

Smaller reporting companies

Incident disclosure requirements in Form 8-K Item 1.05

One year after the initial compliance with related disclosure requirement

All registrants

All companies must tag disclosures required under the final rules in Inline XBRL

Background

The new rules, first proposed for comment in March 2022, are the latest aspect of the SEC's increased focus on the management and disclosure of cybersecurity risks and incidents that began more than a decade ago.

The SEC Division of Corporation Finance staff published CF Disclosure Guidance: Topic No. 2 – Cybersecurity in October 2011. In February 2018, the SEC published its Commission Statement and Guidance on Public Company Cybersecurity Disclosure, described in an earlier Goodwin alert. More recently, the SEC's focus on cyber-related issues has appeared in many forms. For example, SEC Chair Gensler and other senior SEC staff have made numerous speeches and statements on the importance of cyber-related matters and the SEC's regulatory agenda. In February 2022, the SEC proposed a package of new rules and amendments to enhance cybersecurity preparedness and improve cyber resilience of investment advisers and investment companies against cybersecurity threats and attacks. In March 2023, the SEC proposed new rules applicable to broker-dealers, transfer agents, and other key financial market participants that would require enhanced disclosures about cybersecurity risks and significant cybersecurity incidents, as described in an earlier Goodwin alert.

Addressing cyber-related matters in other ways, the SEC Division of Enforcement has taken enforcement action in a variety of cases since June 2021, including cases in which it (1) imposed a $1 million penalty on a public company based on charges that the company misled investors about a 2018 cyber intrusion and failed to maintain disclosure controls and procedures that complied with SEC rules; (2) imposed a $487,000 penalty based on charges that the company failed to maintain adequate DCP for cybersecurity risks and incidents; (3) sanctioned eight firms that were registered with the SEC as investment advisors and/or broker-dealers for cybersecurity policies and procedures failures; and, (4) filed charges against several prominent brokerage firms for failure to protect the personally identifiable information of their customers or to maintain adequate programs to protect against identity theft.

The SEC's drivers for promulgation of the newly-adopted rules include greater digitalization of companies' operations, prevalence of remote work (due in part to the COVID-19 pandemic), ability of criminals to monetize cybersecurity incidents (such as through ransomware), growth of digital payments, and increasing reliance on third-party service providers for information technology services, including cloud computing technology.

To address this environment, the SEC's stated goals are to drive (1) more timely and consistent disclosure about material cybersecurity incidents because of the potential impact of incidents on the financial performance or position of a company and (2) greater availability and comparability of disclosure by public companies across industries regarding their cybersecurity risk management, strategy, and governance practices in order to better assess whether and how companies are managing cybersecurity risks.

Summary of the New Rules

The new rules adopted by the SEC significantly expand and accelerate disclosure of cybersecurity risks, cybersecurity incidents, and the board and management-level governance structures and controls and procedures that companies rely on to manage and oversee cybersecurity risks and incidents. The following table summarizes the requirements the Commission adopted:

Item

Summary Description of the Disclosure Requirement

Regulation S-K Item 106(a)

The Commission adopted definitions for "cybersecurity incident," "cybersecurity threat," and "information systems" largely as proposed.

Accordingly, the definitions are as follows:

  • Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.
  • Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant's information systems or any information residing therein.
  • Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to maintain or support the registrant's operations.

Regulation S-K Item 106(b) – Risk management and strategy

Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

The enumerated elements that a registrant should address in its Item 106(b) disclosure, as applicable, are:

  • Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant's overall risk management system or processes;
  • Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
  • Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

Regulation S-K Item 106(c) – Governance

Registrants must:

  • Describe the board's oversight of risks from cybersecurity threats including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or such committee is informed about such risks. The Commission did not include a materiality qualifier here because if a board of directors determines to oversee a particular risk, the fact of such oversight being exercised by the board is material to investors.
  • Describe management's role in assessing and managing material risks from cybersecurity threats. The Commission modified this requirement to add a materiality qualifier because management oversees many more matters and management's oversight of non-material matters is likely not material to investors. Item 106(c)(2) directs registrants to consider disclosing the following as part of a description of management's role in assessing and managing the registrant's material risks from cybersecurity threats:
  • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
  • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
  • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Form 8-K Item 1.05 – Material Cybersecurity Incidents

The Commission streamlined Item 1.05 (from the proposed rules) to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on requiring underlying details of the incident itself.

Registrants must disclose any cybersecurity incident that is determined to be material, and describe the material aspects of its:

  • Nature, scope, and timing; and
  • Impact or reasonably likely impact.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing if the US Attorney General determines such disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing within four business days after determining such information or within four business days after such information becomes available.

The rule's inclusion of "financial condition and results of operations" is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. Further, the SEC noted that whether an incident is material is not contingent on where the relevant electronic systems reside or who owns them.

Instruction 4 to Item 1.05 provides that a "registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."

As proposed, the Commission added Item 1.05 to the list of Form 8-K items in General Instruction I.A.3.(b) of Form S-3 , so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.

The final rules require an Item 1.05 Form 8-K to be filed (not furnished).

Form 20-F

FPIs must:

  • Describe the registrant's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.
  • Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
  • Describe the board's oversight of risks from cybersecurity threats.
  • Describe management's role in assessing and managing material risks from cybersecurity threats.

Form 6-K

FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.

Structured Data Requirement
The Commission adopted the structured data requirements as proposed, with a staggered compliance date of one year. Registrants are required to tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. The Commission explained that the structured data requirements would make the disclosures more accessible to investors and other market participants and facilitate more efficient analysis.

As the SEC noted, Inline XBRL tagging will enable automated extraction and analysis of the information required by the final rules, allowing investors and other market participants to more efficiently identify responsive disclosure, as well as perform large-scale analysis and comparison of this information across registrants. The Inline XBRL requirement will also enable automatic comparison of tagged disclosures against prior periods.

Applicability to Certain Issuers
Asset-Backed Issuers: The Commission exempted asset-backed securities issuers from the final rules.2

  • Smaller Reporting Companies: Consistent with the proposal, the Commission declined to exempt smaller reporting companies. The SEC noted that the streamlined requirements of the final rules will help reduce some of the costs associated with the proposal for all registrants, including smaller reporting companies. Also, the Commission did not believe that an additional compliance period is needed for smaller reporting companies with respect to Item 106, as this information is factual in nature regarding a registrant's existing cybersecurity strategy, risk management, and governance. Finally, given the significant cybersecurity risks smaller reporting companies face and the outsized impacts that cybersecurity incidents may have on their businesses, the Commission believed that smaller reporting companies' investors need access to timely disclosure on material cybersecurity incidents and the material aspects of their cybersecurity risk management and governance.

Footnotes

1 The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. If the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.

2 See General Instruction G to Form 8-K, and General Instruction J to Form 10-K.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More