SEC Final Rule Adopts Increased Requirements around Cybersecurity Disclosures
On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted amendments augmenting and standardizing required disclosures for public companies related to cybersecurity. The rules apply to all registrants, and includes comparable requirements of foreign private issuers. The rules reflect several changes to elements described in the 2022 proposed rule and in previous guidance.
Disclosures of material cybersecurity incidents will require more specific details and may occur sooner than registrants have historically reported such events, requiring changes to systems, processes, and controls. In addition, the new rules significantly expand annual disclosures, requiring more standardized information about a registrant’s cybersecurity risk management, strategy, and governance.
Disclosure of Material Incidents
Registrants must report a material cybersecurity incident on Form 8-K (new item 1.05) within four business days after determining that the incident is material. Extensions are provided only if the US Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. Registrants must determine the materiality of an incident without unreasonable delay following discovery:
- A “cybersecurity incident” is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
- Whether the incident is material or not will be based on the definition of “materiality” used in federal securities laws. An incident can include a series of related occurrences, for example, if they involve the same malicious actor or exploitation of the same vulnerability. If a series of related occurrences are determined to be material, the disclosure requirements applies, even if each occurrence is determined to be immaterial.
- The disclosure must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. The registrant is not required to disclosure specific or technical information about its plan response or its systems.
Annual Disclosure of Risk Management, Strategy, and Governance
The rule also adds new item 106 to Regulation S-K, requiring registrants to provide information in their annual 10-K report or Form 20-F about their cybersecurity risk management, strategy, and governance. The content of such disclosures is described in more detail in the final rule, but it includes: (a) a description of the process for assessing, identifying and managing material risk from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes; (b) whether and how any risks from cybersecurity threats (including previous incidents) have materially affected or are reasonably likely to materially affect the registrant; and (c) disclosure of management’s and the board of directors’ oversight and management of the cyber risks.
Effective Date and Compliance Deadlines
The final rule will become effective 30 days after publication in the Federal Register.
- All registrants other than Smaller Reporting Companies must begin compliance with the disclosure requirements on Form 8-K or Form 6-K on the later of 90 days after publication or December 18, 2023.
- Smaller Reporting Companies have an additional 180 days to begin complying with the Form 8-K requirements.
View the 186-page final rule here.