US SEC issues final rule on cybersecurity disclosures

On July 26, 2023, the US Securities and Exchange Commission (SEC) issued its final rules for public companies and foreign private issuers (FPIs) requiring rapid disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk management and policies and procedures (the SEC Final Rule). The SEC Final Rule comes 16 months after the Commission proposed new rules on March 9, 2022 regarding cybersecurity incident reporting and risk management (SEC's Proposed Rule). The SEC Final Rule reflects the SEC's belief that investors "need timely, standardized disclosure regarding cybersecurity incidents materially affecting registrants' businesses, and that the existing regulatory landscape is not yielding consistent and informative disclosure of cybersecurity incidents from registrants."¹

In addition, registrants must describe on Form 10-K and Form 20-F their processes (if any) for assessing, identifying and managing material risks from cybersecurity threats. They must also describe whether any risks from cybersecurity threats (including prior incidents) have materially affected or are reasonably likely to materially affect them. Finally, registrants must also describe the board of directors' oversight of risks from cybersecurity threats as well as management's role and expertise in assessing and managing material risks from cybersecurity threats.

The SEC Final Rule expands on the 2011 CF Disclosure Guidance and the 2018 SEC Cybersecurity Guidance, which addressed the importance of cybersecurity policies and procedures and disclosures of material cybersecurity incidents. In the 2018 Guidance, the SEC wrote, "…we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences."

To ensure standardization on cybersecurity disclosures, the SEC Final Rule will require public companies to:

1. report any cybersecurity incidents on Form 8-K (public companies) or Form 6-K (foreign private issuers) within four business days of determining that the incident is material
2. provide material updates on any previously reported cybersecurity incidents in the Form 8-K
3. provide periodic disclosures about cybersecurity policies and procedures on Form 10-K and Form 20-F
4. identify management's role in implementing cybersecurity policies and procedures on Form 10-K and Form 20-F

Amendments to Form 8-K²

The SEC Final Rule is a bit narrower than the SEC's Proposed Rule from 2022. First, the SEC Final Rule narrowed the amount of information requiring to be disclosed on a Form 8-K and second, it provided for a delay of any disclosures if the United States Attorney General determines that immediate disclosure could pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. 

The SEC Final Rule requires filing a Form 8-K disclosing a cybersecurity incident within four business days after determining that a cybersecurity incident was material.³ The disclosure on the Form 8-K would need to address:

1. The nature, scope, and timing of the cybersecurity incident
2. The material impact (or reasonably likely material impact) of the cybersecurity incident on the company, including its financial condition and results of operations

The SEC pointed out the item 2 is not limited to the listed characteristics, but instead, companies "should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident."⁴ The SEC's examples include "harm to a company's reputation, customer or vendor relationships, or competitiveness," as well as the "possibility of litigation or regulatory investigations or actions."⁵

The threshold for filing a Form 8-K is whether the cybersecurity incident is "material." The SEC's Final Rule does not change the approach for analyzing materiality described in the SEC's prior cybersecurity disclosure guidance. The concept of materiality remains whether the cybersecurity incident has a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. 

The SEC explicitly recognized that companies may need time to determine whether a cybersecurity incident is material. Thus, the Form 8-K filing requirement is four business days after making that materiality determination, not necessarily four business days after learning of the incident. The SEC expects management to make a materiality determination "without unreasonable delay," which is a change from the proposed rule's standard of "as soon as reasonably practicable."⁶ That triggering event may happen before a company has completed its investigation into the matter. 

Unlike the proposed rule, the SEC Final Rule expressly permits a delay if the disclosure would "pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General [of the United States], who may take into consideration other Federal or other law enforcement agencies' findings."⁷

Unlike in the SEC's Proposed Rule, the SEC Final Rule does not require companies to disclose (i) the incident's remediation status, (ii) whether it is ongoing and (iii) whether data were compromised.⁸ The SEC pointed out that companies may still need to consider data theft, intellectual property loss or reputational damage as part of their materiality analyses. To underscore the point that the SEC does not want companies to disclose technical information that could assist threat actors, the SEC is adding an instruction to Item 1.05 in the 8-K that the registrant "need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."⁹ The SEC made it clear that if the incident that has a material impact occurs within a third-party system, rather than the registrant's systems, the registrant (and possibly the third-party) still must make the 8-K disclosure. The SEC stated: "we do not believe a reasonable investor would view a significant breach of a registrant's data as immaterial merely because the data were housed on a third-party system."¹⁰ Recognizing that companies may not have access to as much data on a third-party system, companies "should disclose based on the information available to them."¹¹ The SEC Final Rule generally does "not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts an in accordance with registrants' disclosure controls and procedures."¹²

In addition, once a company discloses a cybersecurity incident on Form 8-K, the SEC Final Rule requires disclosure of any information that was not available or not determined at the time, such as the scope of the incident or the potential impact on the company's operations, in a subsequent Form 8-K. 

Amendments to periodic reports

The SEC Final Rule includes amendments to periodic reports, such as Forms 10-Q and 10-K filings, to require more consistent and informative disclosure of company's cybersecurity risk management, strategy and governance. For example, companies would be required to provide an overview of relevant cybersecurity policies and procedures, including descriptions of how and when the company assesses its cybersecurity risk profile, how the company responds to cybersecurity events and how the company manages cybersecurity risk related to its third party service providers. 

In addition, the SEC Final Rule requires descriptions of board oversight of the cybersecurity risk program, including the process by which the board is informed of cyber risks, and a description of which management positions or committees are responsible for managing cybersecurity risks. While the proposed rule called for disclosure of the board’s level of cybersecurity expertise, after considering the comments on the proposal, the SEC Final Rule did not adopt this requirement.¹³

Effective dates

With respect to the incident reporting, the new requirements will take effect on the later of 90 days after publication in the Federal Register or December 18, 2023. The new Regulation S-K Item 106 disclosures will go into effect with respect to filings for fiscal years that end December 15, 2023 or later. "Smaller reporting companies" (as defined elsewhere in Reg S-K) have an additional 180 days to comply with the incident reporting rule (but there is no delay for the Item 106 requirement). The SEC declined to grant smaller reporting companies a general exemption, which some commenters had requested.

Key takeaways

Companies cannot ignore their cybersecurity risks. The SEC has emphasized the importance of the board's oversight of these risks, and registrants must now describe management's role and expertise in assessing and managing material risks from cyber threats.¹⁴ Companies should be evaluating their cybersecurity practices and capabilities from a risk-based perspective and ensuring employees are prepared to respond to a cybersecurity incident.¹⁵ Public companies and FPIs should evaluate their cybersecurity disclosures and determine whether they need to be providing more information about their cybersecurity risk profile, risk management practices and oversight, and cybersecurity incidents so that investors can be armed with sufficient information to evaluate their investment decisions.