08/03/23

SEC Adopts Final Rules for Public Companies’ Cybersecurity Disclosures

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) published final rules to enhance and standardize how companies disclose cybersecurity risk management, strategy, governance and incidents. The rules apply to public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The final rules will become effective 30 days after they are published in the Federal Register.

Background

The SEC issued proposed cybersecurity rules on March 23, 2022. These rules proposed to amend requirements for:

  • Reporting material cybersecurity incidents;
  • Requiring periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks;
  • Identifying management’s role in implementing cybersecurity policies and procedures; and
  • Recognizing the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.

Important Information:

  • The final rules will become effective 30 days after publication in the Federal Register.
  • Form 10-K and Form 20-F disclosures will begin with annual reports for fiscal years ending on or after Dec. 15, 2023.
  • Form 8-K and Form 6-K disclosures will begin either 90 days after the date of publication in the Federal Register or Dec. 18, 2023, whichever is later.
  • Smaller reporting companies will have an additional 180 days before they must begin providing Form 8-K disclosures.

Under the proposed rules, registrants would have been required to include updates about previously reported cybersecurity incidents in their periodic reports. The proposed rules would have also required the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL). These proposals were intended to better inform investors about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents.

However, in response to the comments received, the SEC implemented several changes to the proposed rules. These changes include:

  • Limiting the scope of incident disclosure to focus on more significant events;
  • Introducing a limited delay for disclosures that could potentially jeopardize national security or public safety;
  • Requiring certain updated incident disclosures on an amended Form 8-K/6-K instead of on Form 10-Q/10-K/20-F;
  • Eliminating the aggregation of immaterial incidents for the materiality analysis;
  • Simplifying the disclosure requirements related to risk management, strategy and governance; and
  • Not adopting the proposed requirement to disclose board cybersecurity expertise.

Final Rule Disclosure Requirements

The final rules mandate that companies must submit a Form 8-K within four business days after determining that a cybersecurity incident they experienced is significant. To complete this new Form 8-K, companies will need to disclose in Line Item 1.05:

  • The nature, scope and timing of the incident; and
  • The impact, or reasonably expected impact, the incident will have on the company.

The final rules do not provide specific criteria for determining whether a cybersecurity incident is material. Instead, materiality should be evaluated based on the overall mix of information, similar to how other materiality assessments are conducted under federal securities laws.

According to the final rules, companies must update a previously filed Item 1.05 Form 8-K to include any information required in Item 1.05 that was not available at the time of the initial Form 8-K filing. A company can delay filing an Item 1.05 Form 8-K only if the U.S. attorney general notifies the SEC in writing that immediate disclosure would jeopardize national security or public safety.

Finally, under the new rules, all registrants must tag disclosures required under the final rules in Inline XBRL with the related disclosure requirement. This tagging requirement becomes effective one year after the rules’ effective date.

Next Steps

Public companies should become familiar with the new rules and monitor the Federal Register for the official publication of the rules and an effective date. In addition, public companies should consult with legal and cybersecurity experts to evaluate their incident response programs and implement policies and procedures that enable them to comply with SEC disclosure obligations without compromising the efficacy of their response or remediation strategies.

The new requirement to file a current report within four days of determining a cybersecurity incident is material deviates from current practices. Complying with this requirement may be challenging and burdensome for some companies, especially when faced with a cybersecurity incident that already strains their resources. For this reason, companies should plan now for how to handle such incidents and assess whether a current report is necessary. Advanced planning could ensure thoughtful incident responses and avoid inconsistent outcomes.