Skip to Main Content

Securities Alert

Sept. 5, 2023

SEC Adopts New Cybersecurity Disclosure Requirements

By Howard Hirsch, Liuying (Ashley) Wu

The Securities and Exchange Commission (“SEC”) adopted the final rules (the “Final Rules”) on July 26, 2023 that will require disclosure of material cybersecurity incidents, cybersecurity risk management, strategy, and governance by public companies.1 All types of SEC filers are affected by the Final Rules, including domestic issuers, foreign private issuers (“FPIs”), smaller reporting companies, and emerging growth companies.

Disclosures of Material Cybersecurity Incidents in Current Reports

A. Disclosure and Timing Requirements for Domestic Issuers on Form 8-K

The Final Rules create a new obligation for domestic issuers to file a Current Report on Form 8-K under Item 1.05 within four business days after the issuer determines that it has experienced a material cybersecurity incident.

Specifically, Item 1.05 of Form 8-K requires issuers to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. In addition, the Final Rules also direct issuers to include a statement identifying any information called for in Item 1.05(a) that is not determined or is unavailable at the time of the required filing and then file an amendment to its Form 8-K containing such information within four business days after the issuer, without unreasonable delay, determines such information or within four business days after such information becomes available. The Adopting Release states that although there is no additional duty for an issuer to otherwise update its prior statements, an issuer may have a duty to correct prior disclosure that the issuer determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made, or a duty to update disclosure that becomes materially inaccurate after it is made.2

The definition of “cybersecurity incident” is to be construed broadly and extends to “a series of related unauthorized occurrences,” reflecting the fact that cyberattacks sometimes compound over time rather than present as a discrete event. Accordingly, when an issuer finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact results from multiple intrusions that are each on their own immaterial.3

An issuer may delay an Item 1.05 Form 8-K only if the U.S. Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. The untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.

B. Disclosure and Timing Requirements for Foreign Private Issuers on Form 6-K

Foreign private issuers are required to furnish a Form 6-K to the SEC disclosing material cybersecurity incidents that the issuer discloses or otherwise publicizes in a foreign jurisdiction to any stock exchange or to its security holders.

C. Compliance Dates

All issuers other than smaller reporting companies must comply with the cybersecurity incident disclosure requirements in new Item 1.05 of Form 8-K and in Form 6-K starting on December 18, (or if later, 90 days after the date of publication of the new rules in the Federal Register). Smaller reporting companies will have an additional 180 days from the compliance date and must comply with Form 8-K Item 1.05 starting on June 15, 2024 (or if later, 270 days after the date of publication in the Federal Register).

Disclosures of Cybersecurity Risk Management, Strategic, and Governance Disclosure in Annual Reports on Form 10-K and 20-F

A. Disclosure Requirements Regarding Risk Management and Strategy

The Final Rules also add a new Item 106 to Regulation S-K to require annual disclosures in annual reports on Form 10-K and 20-F about cybersecurity governance, risk management, and strategy. Issuers are required to disclose information regarding their risk management processes for the assessment, identification, and management of material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. Issuers must also describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. In order to provide the required disclosure, a company should address, as applicable, the following items:

  • Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the issuer’s overall risk management system or processes.
  • Whether the issuer engages assessors, consultants, auditors, or other third parties in connection with any such processes.
  • Whether the issuer has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

B. Governance

The Final Rules require additional disclosure regarding the role of both the board of directors and management with respect to risks from cybersecurity threats. Issuers must also (a) identify any board committee or subcommittee responsible for oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks, and (b) describe management’s role in assessing and managing material risks from cybersecurity threats.

C. Compliance Dates

All issuers, including smaller reporting companies and emerging growth companies, must comply with Item 106 of Regulation S-K (or comparable requirements for FPIs in Form 20-F) beginning with annual reports for fiscal years ending on or after December 15.

Disclosures in Inline eXtensible Business Reporting Language (XBRL)

All new disclosure requirements must be tagged in XBRL (block text tagging for narrative disclosures and detail tagging for quantitative amounts) for Item 1.05 of Form 8-K and Form 6-K disclosure starting on December 18, 2024 (or if later, 465 days after the date of publication in the Federal Register); and for Form 10-K and Form 20-F starting with annual reports for fiscal years ending on or after December 15, 2024.

Action Items

  • At the next regular board meeting include a discussion of the new disclosures and board requirements in these new final rules, and at all regular board meetings include a cybersecurity update as a discussion item in the agenda, so that the board and the appropriate committee are being properly updated on risks and potential risks from cybersecurity threats.
  • Develop, or further develop, strategies, policies, and procedures to manage and mitigate cybersecurity risk, which should include conducting regular cybersecurity risk assessments to assess readiness for a cyber incident, a response plan, and a recovery plan.
  • Evaluate the adequacy and formality of the existing cybersecurity policies and procedures annually and update the cybersecurity policies and procedures as needed to ensure that the company’s cybersecurity programs are generally comparable to those of competitors.

1 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Release No. 33-11216 (July 26, 2023) (“Adopting Release”).

2 Id. at 51.

3 The SEC provided two examples in the Adopting Release to illustrate what may constitute “material cybersecurity incident”: (i) the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material, and (ii) a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.