Sept. 5, 2023
The Securities and Exchange Commission (“SEC”) adopted the final rules (the “Final Rules”) on July 26, 2023 that will require disclosure of material cybersecurity incidents, cybersecurity risk management, strategy, and governance by public companies.1 All types of SEC filers are affected by the Final Rules, including domestic issuers, foreign private issuers (“FPIs”), smaller reporting companies, and emerging growth companies.
Disclosures of Material Cybersecurity Incidents in Current Reports
A. Disclosure and Timing Requirements for Domestic Issuers on Form 8-K
The Final Rules create a new obligation for domestic issuers to file a Current Report on Form 8-K under Item 1.05 within four business days after the issuer determines that it has experienced a material cybersecurity incident.
Specifically, Item 1.05 of Form 8-K requires issuers to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. In addition, the Final Rules also direct issuers to include a statement identifying any information called for in Item 1.05(a) that is not determined or is unavailable at the time of the required filing and then file an amendment to its Form 8-K containing such information within four business days after the issuer, without unreasonable delay, determines such information or within four business days after such information becomes available. The Adopting Release states that although there is no additional duty for an issuer to otherwise update its prior statements, an issuer may have a duty to correct prior disclosure that the issuer determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made, or a duty to update disclosure that becomes materially inaccurate after it is made.2
The definition of “cybersecurity incident” is to be construed broadly and extends to “a series of related unauthorized occurrences,” reflecting the fact that cyberattacks sometimes compound over time rather than present as a discrete event. Accordingly, when an issuer finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact results from multiple intrusions that are each on their own immaterial.3
An issuer may delay an Item 1.05 Form 8-K only if the U.S. Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. The untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.
B. Disclosure and Timing Requirements for Foreign Private Issuers on Form 6-K
Foreign private issuers are required to furnish a Form 6-K to the SEC disclosing material cybersecurity incidents that the issuer discloses or otherwise publicizes in a foreign jurisdiction to any stock exchange or to its security holders.
C. Compliance Dates
All issuers other than smaller reporting companies must comply with the cybersecurity incident disclosure requirements in new Item 1.05 of Form 8-K and in Form 6-K starting on December 18, (or if later, 90 days after the date of publication of the new rules in the Federal Register). Smaller reporting companies will have an additional 180 days from the compliance date and must comply with Form 8-K Item 1.05 starting on June 15, 2024 (or if later, 270 days after the date of publication in the Federal Register).
Disclosures of Cybersecurity Risk Management, Strategic, and Governance Disclosure in Annual Reports on Form 10-K and 20-F
A. Disclosure Requirements Regarding Risk Management and Strategy
The Final Rules also add a new Item 106 to Regulation S-K to require annual disclosures in annual reports on Form 10-K and 20-F about cybersecurity governance, risk management, and strategy. Issuers are required to disclose information regarding their risk management processes for the assessment, identification, and management of material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. Issuers must also describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. In order to provide the required disclosure, a company should address, as applicable, the following items:
B. Governance
The Final Rules require additional disclosure regarding the role of both the board of directors and management with respect to risks from cybersecurity threats. Issuers must also (a) identify any board committee or subcommittee responsible for oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks, and (b) describe management’s role in assessing and managing material risks from cybersecurity threats.
C. Compliance Dates
All issuers, including smaller reporting companies and emerging growth companies, must comply with Item 106 of Regulation S-K (or comparable requirements for FPIs in Form 20-F) beginning with annual reports for fiscal years ending on or after December 15.
Disclosures in Inline eXtensible Business Reporting Language (XBRL)
All new disclosure requirements must be tagged in XBRL (block text tagging for narrative disclosures and detail tagging for quantitative amounts) for Item 1.05 of Form 8-K and Form 6-K disclosure starting on December 18, 2024 (or if later, 465 days after the date of publication in the Federal Register); and for Form 10-K and Form 20-F starting with annual reports for fiscal years ending on or after December 15, 2024.
Action Items
1 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Release No. 33-11216 (July 26, 2023) (“Adopting Release”).
2 Id. at 51.
3 The SEC provided two examples in the Adopting Release to illustrate what may constitute “material cybersecurity incident”: (i) the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material, and (ii) a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.