On July 27, 2023, the Securities and Exchange Commission (SEC) adopted final rules requiring public companies to disclose material cybersecurity incidents and enhance and standardize periodic disclosure of cybersecurity risk management, strategy, and governance. The final rules will add Inline XBRL tagging requirements to such disclosures and will apply to domestic issuers, through Form 8-K and Form 10-K, and foreign private issuers, through similar disclosures on Form 6-K and Form 20-F.

CYBERSECURITY INCIDENT REPORTING REQUIREMENT (NEW FORM 8-K ITEM 1.05)

The final rules require public companies, via new Form 8-K Item 1.05, to disclose any material cybersecurity incident and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant.

Under the final rules, "cybersecurity incident" is defined as "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The SEC notes that the term "cybersecurity incident" is to be construed broadly and may encompass multiple immaterial cyberattacks that have a material effect in aggregate. Accordingly, several immaterial cyber incidents may together have a material impact that would require disclosure.

Public companies must file a Form 8-K disclosing the incident under new Item 1.05 within four business days after the registrant has determined the incident to be material. Disclosure may be delayed beyond the four-day window if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The SEC has established an interagency communication process with the Department of Justice to allow for the Attorney General's determination to be communicated to the SEC in a timely manner. Under the final rules, other federal agencies may also request that the Attorney General determine that disclosure would pose a substantial risk to national security or public safety.

INTERNAL PROCEDURE DISCLOSURE (NEW REGULATION S-K ITEM 106)

The final rules also create new Regulation S-K Item 106, which will require public companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. Additionally, public companies will be required to report whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.

Companies will also be required to describe board oversight of cybersecurity threats and disclose management's role and expertise in assessing and managing cybersecurity risks. The new Item 106 disclosures will be required to be reported by domestic issuers on Form 10-K and by foreign private issuers on Form 20-F.

EFFECTIVE DATES

For all registrants other than smaller reporting companies, the Form 8-K Item 1.05 cybersecurity incident reporting requirements and the analogous requirements for Form 6-K will take effect 90 days after publication of the rule in the Federal Register or by December 18, 2023, whichever is later. However, smaller reporting companies will have an additional 180 days from the compliance date for non-smaller reporting companies, or until June 15, 2024, whichever is later. The Item 106 internal procedure and board oversight disclosures must be made in annual reports for fiscal years ending on or after December 15, 2023. Additionally, all registrants must tag disclosures required under the new rules in Inline eXtensible Business Reporting Language, commonly known as "Inline XBRL," (a) for new Item 1.05, beginning 465 days after the date of publication in the federal register or December 18, 2024, whichever is later, and (b) for new Item 106 of Regulation S-K, beginning with annual reports for fiscal years ending on or after December 15, 2024.

Capital Markets & Securities Law Watch will continue to monitor updates in this area and will provide updates to our readers as they become available.

Summer Associate Drew Pierce contributed to the preparation of this blog post.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.