The U.S. Securities and Exchange Commission (SEC) has twice previously provided interpretive guidance on cyber incident disclosure (in 2011 and 2018) but neither created a new disclosure requirement. Now, over a year after proposing a rule to heighten cybersecurity disclosure requirements, the SEC released its final rule on July 26, 2023 (Release No. 33-11216). After reviewing over 150 comment letters submitted by registrants and other stakeholders, the SEC’s final rule narrows the scope of disclosure, but emphasizes their position on the importance of timely and consistent information provided to investors related to cybersecurity. To ensure compliance, companies need to evaluate their current cybersecurity governance and incident response practices, and ensure they are appropriately considered in their disclosure procedures.
The final rule includes multiple new disclosure requirements; these disclosures generally fall into one of three categories:
The most significant change is the disclosure on the new Item 1.05 of Form 8-K. The SEC’s press release states that registrants disclose “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” Registrants will not be required to disclose the remediation status of an incident, whether it was ongoing, or whether data were compromised. Nor will they be required to disclose “specific or technical information about their planned response” which was a concern raised by many commenters. However, within four business days of determining they were subject to a material cyber incident, registrants are required to file an Item 1.05 Form 8-K (except in cases of substantial risk to national security or public safety as determined by the attorney general, which would afford registrants an extended disclosure period).
To comply with this requirement, registrants will need a level of confidence in both their ability to detect that an incident has occurred and their means of quantifying the impact to determine whether the incident, or a series of related incidents, are material. While the standard of materiality is consistent with other disclosures, quantifying the materiality of a cyber incident may not be as straightforward. The trigger to require disclosure is the date the registrant determines the incident to be material, considering that registrants make this determination without unreasonable delay. Current incident response plans should be evaluated by companies to determine whether they sufficiently consider quantitative and qualitative effects on the organization, including any short- and long-term financial or operational effects. In evaluating the sufficiency of these incident response plans, registrants should also consider the fact that incidents occurring at business partners and third parties may trigger a disclosure requirement even if the registrant does not own the system in which the incident took place.
Registrants should take particular note of the terms defined in the new rule as these will inform management of the SEC’s interpretation of these key terms. For instance, the SEC defines cybersecurity incidents as “an unauthorized occurrence, or a series of related unauthorized occurrences…” which would indicate that management’s materiality determination may require the consideration of multiple related events. This could also result in the need for registrants to update previously issued disclosures through additional Item 1.05 Form 8-K disclosures. Other terms defined by the SEC include cybersecurity threat and information systems. Registrants should incorporate these terms into their disclosure controls and procedures to ensure consistency with SEC definitions.
To provide investors with relevant information to evaluate a registrant’s cyber risk management and strategy posture in a uniform, comparable and easy to locate disclosure, the SEC added Regulation S-K Item 106(b), which requires registrants to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” For Form 10-K filers, this disclosure will appear in a new section of Form 10-K titled “Item 1C. Cybersecurity.” The SEC has acknowledged that this rule is not intended to provide levels of detail that may result in an organization’s increased vulnerability to attack. Registrants will, however, be required to specifically identify enough information required for a “reasonable investor to understand their cybersecurity processes,” to include, but not limited to:
Regulation S-K Item 106(c) will now require disclosure of both the board and management’s role in assessing and governing material cybersecurity risks. Board oversight of cyber risks, including the identification of any board committees/subcommittees and summary of the process by which the board is informed of cyber risks, will be part of the required disclosure. Registrants should evaluate the current board agenda and evaluate whether sufficient attention and expertise is given to the governance of cyber risks.
In addition to specific disclosures related to the board, companies will also be required to disclose “management’s role in assessing and managing the registrant’s material risk from cybersecurity threats.” In satisfying this requirement, Item 106(c)(2) advises the consideration of disclosing the following description of management’s role:
Given these board and management disclosure requirements, registrants should be thinking about the entirety of their cyber governance activities and evaluate whether they are confident in the efforts being taken to protect the organization against material cyber threat and respond sufficiently should one occur. Leveraging industry accepted best practices and standards provided by organizations such as the National Institute of Standards and Technology (NIST) or the American Institute of Certified Public Accountants (AICPA) will aid management in assessing their current security and security governance posture and ability to comply with this new SEC requirement.
This new rule applies to all SEC registrants, but provides an extended timeline for smaller reporting companies to be compliant with the Item 1.05 Form 8-K disclosure.
According to the Federal Register, the final rules are effective Sept. 5, 2023. With respect to Item 106 of Regulation S–K and item 16K of Form 20–F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023. With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8–K and in Form 6–K, all registrants other than smaller reporting companies must begin complying on Dec. 18, 2023. Smaller reporting companies are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8–K, on June 15, 2024. Additionally, Foreign Public Issuers (FPI) are required to provide equivalent disclosures in their Form 20-F and Form 6-K filings.
With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
While there have been previous efforts by the SEC to provide interpretive guidance on the consideration of cybersecurity risks, this new rule marks the first time a specific cybersecurity disclosure requirement has been adopted across the capital markets. Furthermore, the SEC has made a point of using its civil law authority to pursue enforcement actions that protect investors. Aided by the SEC Division of Enforcement’s Cyber Unit, which was established in 2017, the SEC continues to pursue cybersecurity and crypto related enforcement actions. Companies and CISOs specifically, should critically assess their current cyber practices and the nature and extent of management’s cybersecurity risk management and governance activities as it relates to these new disclosure requirements.
If actions have not yet been taken to address the approved rule, CISOs, management and the board of directors should consider the following: