Public companies will soon be required to provide increased transparency about cybersecurity incidents, risk management, strategy and governance as a result of new rules adopted by the Securities and Exchange Commission (the "SEC" or "Commission") on July 26, 2023.1 These new disclosure requirements represent a significant expansion of the existing SEC disclosure guidance, which dates back to 2011 and 2018, and represent the SEC's first disclosure requirements explicitly referring to cybersecurity risk and incident reporting in current and periodic reports.

Following an overview of the new rules, we identify below practical considerations for registrants in preparing for the new disclosure requirements.

Background

Previously, cybersecurity risk and incident disclosures in SEC reports were informed primarily by SEC staff guidance published in 2011 and Commission level guidance published in 2018 (the "2011 Staff Guidance" and "2018 Interpretive Guidance," respectively). In the 2011 Staff Guidance, the SEC Division of Corporation Finance staff acknowledged that although there were no disclosure rules explicitly referring to cybersecurity risks and incidents, registrants may be obligated to disclose such risks and incidents, as well as material information regarding such risks and incidents, when making other required disclosures pursuant to obligations under existing rules, such as Regulation S-K Items 101 (description of business), 103 (legal proceedings), 105 (risk factors), 303 (management's discussion and analysis of financial condition and results of operation), and 307 (disclosure controls and procedures), as well as certain provisions in the Accounting Standards Codification.2 The 2018 Interpretive Guidance added to the SEC staff's prior guidance on cybersecurity disclosures by discussing potential reporting obligations under Regulation S-K Item 407 (corporate governance), Regulation S-X and Regulation FD, noting that registrants may provide current reports to maintain the accuracy and completeness of effective shelf registration statements and encouraging companies to consider whether insider trading restrictions should be put into effect following a cybersecurity incident and before disclosure surrounding such incident is made.3

On March 9, 2022, the SEC proposed new rules to increase and standardize cybersecurity disclosures by public companies subject to reporting requirements under the Securities Exchange Act of 1934, as amended (the "Exchange Act").4 The SEC reopened the comment period on the proposal twice and received over 150 comment letters. Commenters raised various concerns about the rule proposals, with a significant number of comments concerning the timing of the proposed incident disclosure requirement in particular, as well as the proposed board expertise disclosure requirement.5

On July 26, 2023, in a 3-2 vote, the SEC adopted new rules for public companies that require current reporting of material cybersecurity incidents, as well as annual disclosures about cybersecurity risk management, strategy, and governance. The new rules and amendments affect Forms 8-K, 6-K, 10-K and 20-F, and include inline XBRL tagging requirements.6 The new requirements apply broadly to all public companies, including foreign private issuers, emerging growth companies and smaller reporting companies.

The new rules will significantly affect the way public companies disclose cyber incidents and matters relating to their cybersecurity oversight. In adopting the new requirements, the SEC confirmed that the 2018 Interpretive Release and 2011 Staff Guidance remain applicable and should be used to inform potential disclosure obligations relating to cyber incidents that are not specifically addressed in the latest rule requirements.7

The implementation dates under the new rules, which are outlined in the table below, are extremely tight. In general, companies other than smaller reporting companies will be required to comply with the new current reporting requirements in Forms 8-K and 6-K beginning December 18, 2023. Smaller reporting companies will be subject to the new current reporting requirements on June 15, 2024. For all companies, the annual reporting requirements in Forms 10-K and 20-F will apply starting with their Forms 10-K and 20-F filed in early 2024.

Summary of New Disclosure Requirements in Current Reports

The new rules establish a real-time reporting requirement for material cybersecurity incidents, which generally applies separately and in parallel with any other cyber reporting obligations the registrant is subject to under federal, state or foreign law.

Amendments to Form 8-K. Under new Item 1.05 of Form 8-K, a registrant that experiences a material cybersecurity incident must report the "material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations."

In response to public comment about the scope of the new rule, the SEC indicated that it adopted this language in an attempt to better focus the disclosure on the effects of a material cybersecurity incident, rather than specific details regarding the incident itself. Notably, in a departure from the proposal, the final rule does not require companies to discuss the cybersecurity incident's remediation status, if it is ongoing, or whether data were compromised. Nor does the rule require disclosure of the specific or technical information about the registrant's planned response or its cybersecurity systems, networks and devices, or potential system vulnerabilities to such a degree of detail as would impede the registrant's response or remediation of the incident.

Cybersecurity Incident. For disclosure purposes, a "cybersecurity incident" is defined as "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The "series of related unauthorized occurrences" language reflects the SEC's stated view that "cybersecurity incident" should be viewed broadly. This language is a change from the proposal, which would have required disclosure in periodic reports when it became known to management that a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.8 The adopting release includes examples of situations that may trigger Item 1.05 disclosure, including incidents occurring on third-party systems or accidental exposures of customer data that results in unauthorized access to that data.9 This same definition of cybersecurity incident and broad interpretation applies to Item 1.05 of Form 8-K as it does for purposes of the disclosures provided pursuant to Regulation S-K Item 106 (discussed below).

Footnotes

1. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216, 88 Fed. Reg. 51896 (adopted July 26, 2023), https://www.sec.gov/files/rules/final/2023/33-11216.pdf [hereinafter Adopting Release].

2. See CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

3. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33- 10459, 83 Fed. Reg. 8166 (published Feb. 21, 2018).

4. See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33- 11038, 87 Fed. Reg. 16590 (proposed Mar. 9, 2022), https://www.sec.gov/files/rules/proposed/2022/33- 11038.pdf.

5. Adopting Release at 10.

6. Id. at 11-13.

7. Id. at 95-96.

8. Id. at 47, 52.

9. Id. at 78-79.

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.