The SEC’s Demanding Disclosure Obligations Take Effect in 12 Days: Overview of Key Compliance Obligations for Registrants under the SEC’s Cybersecurity Incident and Risk Management, Strategy, and Governance Disclosure Rules
On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its final disclosure rules (“Final Rules”) for publicly traded companies relating to: (1) “material cybersecurity incidents”; and (2) “material information regarding their cybersecurity risk management, strategy, and governance.” The adoption of the Final Rules comes from a rulemaking process that started in March of 2022 when the SEC initially issued proposed rules (“Proposed Rules”). The Final Rules come into effect on September 5, 2023.
Per the SEC Public Company Cybersecurity Disclosures Fact Sheet, the reasons behind the SEC’s decision for the adoption of the Final Rules were threefold: (1) cybersecurity threats and incidents are on the rise and pose an ongoing threat to publicly traded companies, investors, and market participants; (2) the cost of cybersecurity incidents for companies and its investors is rising; and (3) the cybersecurity incident disclosure requirements from the 2011 and 2018 SEC interpretative guidance were “inconsistent.” The Final Rules are intended to result in “consistent, comparable, and decision-useful disclosures” allowing investors to make well-informed choices following material cybersecurity incidents.
Disclosure of Material Cybersecurity Incidents
Under the Final Rules, publicly traded companies must disclose material cybersecurity incidents that affect their operations. The SEC implemented this rule, in part, because of its concern that “the existing regulatory landscape is not yielding consistent and informative disclosure of cybersecurity incidents from registrants.” See Final Rules, p. 51903.
- Entities Required to Disclose Material Cybersecurity Incidents. The Final Rules are applicable to companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (“Registrants”). This includes “issuers that are business development companies as defined in section 2(a)(48) of the Investment Company Act of 1940.” Registrants other than “smaller reporting companies” are required to comply with “material cybersecurity incident” disclosure requirements starting on December 18, 2023. Smaller reporting companies (i.e., companies that: (a) have a public float of less than $250 million; or (b) have less than $100 million in annual revenues and have no public float or a public float of less than $700 million) will have until June 15, 2024, to comply with such obligations. The Final Rules also impose filing obligations on Foreign Private Issuers (“FPIs”) (i.e., requiring FPIs to report material cybersecurity incidents on a Form 6-K and cybersecurity risk management, strategy, and governance procedures on a Form 20-K).
- Disclosure Trigger. Disclosure obligations fall upon Registrants that have experienced a “material cybersecurity incident.” The SEC defines a “cybersecurity incident” as “an unauthorized occurrence or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” “Information systems” are defined as “information resources, owned, or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.” The cybersecurity incident must be “material” in nature to trigger a Registrant’s disclosure obligations. The SEC did not set forth a definition of “materiality” in the Final Rules, but rather referenced prior case law developments and relied on its 2011 and 2018 interpretative guidance asserting that a cybersecurity incident is “material” if “there is a substantial likelihood that a reasonable shareholder would consider it important” or if it would have “significantly altered the ‘total mix’ of information made available.” As noted in the Final Rules, materiality should be determined on both a quantitative (e.g., financial condition and results of operations of a Registrant) and qualitative (e.g., harm to Registrant’s reputation, customer or vendor relationships, or competitiveness) basis. Because the definition of a cybersecurity incident encompasses a “series of related unauthorized occurrences,” Registrants should carefully consider reporting related, immaterial, standalone incidents if in the aggregate, the related incidents materially impact the Registrant.
- Timing of Disclosure. Under the Final Rules, Registrants generally must disclose a cybersecurity incident within four (4) business days after determining such cybersecurity incident was material. Although there is no specified timeline for determining the materiality of a cybersecurity incident, Registrants are required to make this determination “without unreasonable delay.” The SEC has stated that “though the determination need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure.” However, Registrants will have additional time to make a material cybersecurity incident disclosure if the U.S. Attorney General determines that an immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC in writing of such risk. If the U.S. Attorney General provides such written notice to the SEC, the disclosure period will be extended thirty (30) days from the date the disclosure was originally due, with another thirty (30) day delay available if the U.S. Attorney General makes another determination thereafter. In extraordinary circumstances, an additional sixty (60) day delay may be granted by the U.S. Attorney General. Any further delay beyond one hundred and twenty (120) days will require an approved exemptive order from the SEC. A short extension may also be permissible under limited circumstances for entities in the telecommunications services industry. See Final Rules, p. 51907.
- Scope of Disclosure. Per Item 1.05 of the Final Rules, disclosures must include:
- Nature. The material aspects of the nature of the cybersecurity incident;
- Scope. The material aspects of the scope of the cybersecurity incident;
- Timing. The material aspects of the timing of the cybersecurity incident; and
- Material Impact. The material impact or reasonably likely material impact on the publicly traded company, including, but not limited to the financial impact and results of operation.
- Disclosure Format. Registrants must disclose material cybersecurity incidents on a Form 8-K. If a Registrant does not have all required information by the filing deadline, the Registrant should timely file the Form 8-K utilizing the information the Registrant does have, and then file an amended Form 8-K within four (4) business days after additional, required information is obtained.
Disclosures Related to Cybersecurity Risk Management & Strategy
The Final Rules also require Registrants to disclose their cybersecurity threat risk management and strategy procedures on their annual Form 10-K. Per Regulation S-K Item 106(b) of the Final Rules, “[r]egistrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.” Information to be included, but is not limited to information concerning:
- Integration. Whether and how any processes for cybersecurity threat assessment, identification, and management have been integrated into the Registrant’s overall risk management processes;
- Third Party Involvement. Whether the Registrant uses assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Third Party Oversight. Whether the Registrant has processes to oversee and identify such risks from cybersecurity threats associated with the use of any third-party service providers.
The disclosure of the risk management and strategy procedures begins for Registrants on annual reports for fiscal years ending on or after December 15, 2023.
In addition to disclosing their cybersecurity threat risk management and strategy procedures, Registrants must also disclose their cybersecurity governance procedures on their annual Form 10-K. Per Regulation S-K Item 106(c) of the Final Rules, Registrants must specifically include:
- Board of Directors’ Oversight. The board of directors’ oversight of risks from cybersecurity threats (and if applicable, any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks); and
- Management’s Responsibilities. The management’s role in assessing and managing the Registrant’s material risks from cybersecurity threats, including but not limited to information concerning:
- Individual/Committee Roles, Responsibilities, and Expertise. Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- Internal Cybersecurity Communications Processes. The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Reporting Obligations. Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
The disclosure of the governance procedures also begins for Registrants on annual reports for fiscal years ending on or after December 15, 2023.
Recommended Next Steps
The following steps will help Registrants comply with the Final Rules:
- Confirm Cybersecurity Risk Management, Assessment, and Oversight Responsibilities Have Been Assigned to the Board and Management. Registrants should confirm that they have assigned cybersecurity risk management, assessment, and oversight responsibilities to the board of directors (or a board committee or subcommittee) and to management, and that they have appropriate processes in place to inform the board or committee/subcommittee of cybersecurity threats.
- Confirm Third-Party Cybersecurity Risks are Taken into Consideration in Meeting Obligations. Registrants should confirm they have appropriate processes and agreements in place to enable them to identify material risks arising from cybersecurity threats arising from their third-party vendors.
- Review and Update Incident Response Plans to Incorporate Disclosure Obligations for Material Cybersecurity Incidents. Registrants should update their incident response plans to incorporate Form 8-K disclosure obligations relating to material cybersecurity incidents.
- Review and Update Disclosure Controls and Procedures. Registrants should update their disclosure controls and procedures to help ensure timely and adequate internal reporting to proper oversight groups (i.e., board of directors, committees, management). Registrants should consider developing and incorporating a set of guidelines or criteria to help determine the “materiality” of a cybersecurity incident at an early stage (i.e., a list of qualitative and quantitative factors, whether cybersecurity incidents, in the aggregate, become material, etc.).
- Update 10-K Disclosures. Registrants should confirm their annual Form 10-K disclosures incorporate the requisite cybersecurity risk management, strategy, and governance information.
- Keep Abreast of SEC Enforcement Actions, Rules, and Guidance. Finally, Registrants should stay abreast of actions brought by the SEC to enforce the Final Rules, as well as future SEC cybersecurity rules and guidelines.
These recommended steps, along with implementation of cybersecurity and incident response best practices, will assist Registrants in meeting their obligations and avoiding SEC enforcement actions under the soon-to-be-effective Final Rules.