SEC Adopts Final Rules on Public Company Cybersecurity Disclosures

Alert
July 28, 2023
9 minutes

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) voted 3–2 to adopt rules requiring public companies to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategy, and governance (the “Cybersecurity Disclosure Rules” or “Final Rules”).1 The Final Rules require disclosure of “material cybersecurity incidents”. The disclosure must be made within four business days from the date on which a cybersecurity incident is determined to be “material” as opposed to four business days from the date on which the occurrence of an incident is discovered; although, that distinction may be difficult to implement in practice. Covered entities, which include all issuers that file annual reports on Form 10-K or Form 20-F, should promptly review their cybersecurity protocols and procedures to address further required disclosure items.2

  • Annual reports on Forms 10-K and 20-F will need to include the new disclosures for the fiscal years ending on or after December 15, 2023; in other words, calendar-year issuers must comply with the new rules in their upcoming annual reports.
  • Issuers other than smaller reporting companies must begin reporting the information required by the new Item 1.05 on Form 8-Ks filed beginning on December 18, 2023 (or, if later, 90 days after the Adopting Release is published in the Federal Register), as well as Form 6-Ks furnished to the SEC. Meanwhile, smaller reporting companies will have an additional 180 days before they must begin complying with the new Form 8-K requirements.

The Final Rules build on a body of preexisting SEC guidance regarding cybersecurity disclosures.3 In 2011, the Division of Corporation Finance issued interpretive guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. Seven years later, in 2018, the SEC issued a statement on cybersecurity disclosure addressing, among other things, the materiality of incidents, updates to risk factors, and board risk oversight.4 Despite years of cybersecurity guidance and enforcement actions, the SEC has not, until now, promulgated any binding cyber rules since 2000 when it adopted Regulation S-P to require broker-dealers, registered funds, and investment advisers to adopt written policies and procedures covering the safeguards that protect customer records and information.5 The Cybersecurity Disclosure Rules mark the opening salvo of the SEC’s cybersecurity rulemaking; a myriad of cyber disclosure and risk management proposals—including those for registered investment advisers and funds—currently await review.

Current Reporting of Cybersecurity Incidents

Disclosure Trigger and Timing

The Cybersecurity Disclosure Rules create a new obligation for domestic issuers to file a current report on Form 8-K to disclose material cybersecurity incidents under new Item 1.05. Issuers must determine the materiality of an incident “without unreasonable delay” following discovery; if the incident is determined to be material, they must file an Item 1.05 disclosure within four business days of the materiality determination. While the “without unreasonable delay” standard is a slight modification from the SEC’s initial cyber-disclosure proposals for public companies (“Proposed Rules”), which required the materiality determination to be made “as soon as reasonably practicable,” the SEC was clear in the Adopting Release that companies may need to make such threshold disclosure determinations before they even “determine the full extent of an incident.”

The Adopting Release also makes clear that the materiality determination should be made using the same standard that generally applies under federal securities laws (i.e., information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if it would “have significantly altered the ‘total mix’ of information made available” to the investor). The SEC notes in the Adopting Release that qualitative and quantitative factors need to be considered when making a materiality determination, stating that “[a] lack of quantifiable harm does not necessarily mean an incident is not material.” The SEC goes on to observe: “For example, an incident that results in significant reputational harm to a registrant may not be readily quantifiable and therefore may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material. Similarly, whereas a cybersecurity incident that results in the theft of information may not be deemed material based on quantitative financial measures alone, it may in fact be material given the impact to the registrant that results from the scope or nature of harm to individuals, customers, or others, and therefore may need to be disclosed.”

Narrow Exception for Delayed Disclosure

The Cybersecurity Disclosure Rules do not allow issuers to delay disclosure in order to mitigate the risk of ongoing or additional cybersecurity incidents nor does it include an omnibus law enforcement exception related to ongoing investigations.

The Final Rules, however, do include an exception that allows issuers to delay filing a Form 8-K if the United States Attorney General (“AG”) determines that an immediate disclosure of such an incident would pose a substantial risk to national security and public safety. State officials notably lack similar powers. In the case of AG involvement, the disclosure can be delayed by up to 30 days, with the allowance of a second delay of up to an additional 30 days if the AG determines that the disclosure continues to pose such a risk and a final delay of up to an additional 60 days if the AG again determines that the disclosure continues to pose such a risk. Any further delays would require the SEC to issue an exemptive order.6

As a practical matter, we expect that it will often be difficult for most companies to take advantage of this exception outside the scope of a significant national security event.

Required Disclosure Content

Item 1.05 of Form 8-K will require issuers to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” In response to concerns about the availability of information regarding incidents that occur on third-party systems, the SEC stated in the Adopting Release that the “final rules generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants’ disclosure controls and procedures.” The SEC went on to state that this approach was “consistent with” Rule 12b-21 under the Exchange Act, which allows issuers to exclude information that “is unknown and not reasonably available to the registrant, either because the obtaining thereof would involve unreasonable effort or expense, or because it rests peculiarly within the knowledge of another person not affiliated with the registrant....” To the extent that information regarding third-party systems is available to an issuer or could be obtained without unreasonable effort or expense (e.g., pursuant to contractual rights), it appears that issuers would be required to disclose that information.

In a significant change from the Proposing Release, if an incident is ongoing, the disclosures need not include details such as whether data were stolen and the status of any remediation efforts, although the SEC also explained that disclosure regarding those items may be required if they are material, stating the following in the Adopting Release: “While some incidents may still necessitate, for example, discussion of data theft, asset loss, intellectual property loss, reputational damage, or business value loss, registrants will make those determinations as part of their materiality analyses.” An instruction to Item 1.05 of Form 8-K relieves issuers of any obligation to disclose “specific or technical information about [their] planned response to the incident or [their] cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede [their] response or remediation of the incident.”

To the extent the information required by Item 1.05 is not available at the time when a Form 8 K is filed, issuers would be required to file an amended Form 8-K within four business days of the date on which such information becomes available. Accordingly, the effect of excluding material from the initial disclosure will be simply to delay its eventual disclosure.

The new requirement will not, however impact issuers’ ability to use Form S-3, as untimely filing of an Item 1.05 Form 8-K will not result in the loss of an issuer’s Form S-3 eligibility. Furthermore, failure to file an Item 1.05 Form 8-K will not be deemed a violation of Section 10(b) of the Exchange Act or Exchange Act Rule 10b-5.

Foreign Private Issuers

Foreign private issuers would be required to furnish a Form 6-K to the SEC disclosing material cybersecurity incidents that the issuer discloses in a foreign jurisdiction to a stock exchange or to its security holders.

Disclosure in Annual Reports

Risk Management Disclosure

The Cybersecurity Disclosure Rules will require issuers to disclose in annual reports on Forms 10-K and 20-F information regarding their risk management processes for assessing, identifying, and managing material risks from cybersecurity threats. That disclosure will need to include a discussion of whether and how such processes have been integrated into the overall risk management system, if third parties are engaged in connection with those processes, and if the issuer has processes to oversee and identify the risks associated with the use of third-party service providers. That disclosure requirement has been significantly pared back from what was featured in the Proposing Release, which would have also required disclosure regarding whether the issuer undertook activities to prevent, detect, and minimize the effects of cybersecurity incidents, had established business continuity and recovery plans, and if previous cybersecurity incidents had informed changes in the issuer’s cybersecurity program.

Issuers will also be required to describe whether any of the risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

Governance

The Cybersecurity Disclosure Rules require additional disclosure regarding the role of both the board of directors and management with respect to risks from cybersecurity threats. Any board committees or management committees or positions responsible for oversight of those risks will need to be identified and the processes by which they are informed about such risks discussed. Issuers will also have to disclose the expertise of the persons on such management committees or in such positions and if they report information regarding cybersecurity risks to the board of directors or a board committee or subcommittee.

In a significant departure from the Proposing Release, the Final Rules do not require issuers to identify any director who has expertise in cybersecurity and identify the nature of that expertise.

Looking Ahead

For many issuers, preparing to comply with the Cybersecurity Disclosure Rules will require significant effort in the coming weeks, including honing their incident response capabilities so that they can make a disclosure in four business days as opposed to the 30-plus-day window afforded by most state laws. The short transitional period before the Final Rules come into effect means that issuers need to quickly begin implementing disclosure controls and procedures to comply with those requirements, particularly with respect to making materiality determinations and preparing disclosures regarding cybersecurity incidents. Issuers will also need to consider how their risk management and governance processes will be disclosed and if any revision to those processes is needed.

If you have any questions concerning this Alert, please contact your usual Ropes & Gray advisor.

  1. See Release Nos. 33-11216; 34-97989 (July 26, 2023) (the “Adopting Release”).
  2. The Cybersecurity Disclosure Rules do not apply to registered investment companies. However, the rules do apply to business development companies.
  3. https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
  4. SEC Release Nos. 33-10459; 34-82746 (February 26, 2018).
  5. https://www.law.com/newyorklawjournal/2023/05/08/the-sec-awakens-to-cybersecurity-with-the-zeal-of-a-convert.
  6. The SEC notes that other public sector entities can request that the AG make such a determination, stating, for example, “in the event [federal banking agencies] believe that the disclosure of a material cybersecurity incident would threaten the health of the financial system in such a way that results in a substantial risk to national security or public safety, they may, as explained above, work with the Department of Justice to seek to delay disclosure.” The Cybersecurity Disclosure Rules also allow for disclosure to be delayed to the extent that making such disclosure would violate Federal Communications Commission regulations regarding breaches of customer proprietary network information.