On July 26, the Securities and Exchange Commission adopted a new rule regarding cybersecurity risk management, strategy, governance, and incident disclosure. The “Cybersecurity Incident Disclosure Rule” will be applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934. It is premised on the belief that investors will benefit from more timely and consistent disclosure about material cybersecurity incidents, and follows interpretive guidance the SEC issued in 2011 and 2018. The Final Rule will take effect 30 days after being published in the Federal Register – likely by September 1.
Form 8-K will be amended to require companies to file an Item 1.05 Form 8-K within four days after they determine that any cybersecurity incident they experience is material as this term is defined under the rule. If the event occurs on a weekend or a holiday, the four-day period will begin on the first business day after the determination.
The disclosure must include information about the nature, scope and timeframe of the incident, and its impact or reasonably likely impact. However, the disclosure should not include specific or technical information about any planned remediation to cybersecurity systems, related networks and devices, or potential system vulnerabilities that may impede the remediation of the incident.
The Final Rule’s requirement pertaining to disclosure of cybersecurity incidents on current reports is different from the version found in the proposed rule that was released in March 2022. The SEC received more than 150 comment letters in response to the proposed rule. In response, the SEC made a number of changes and updates that are reflected in the Final Rule. The changes are intended primarily to better balance the security concerns raised by commenters against investors’ informational needs. Among other things, the Item 1.05 Form 8-K in the Final Rule focuses the disclosure obligation primarily on the impact of a material cybersecurity incident (rather than the details of the incident itself). It also omits the requirement in the proposed form that companies disclose the remediation status of the incident.
In response to various commenters who expressed concern with disclosure requirements that could pose a substantial risk to national security or public safety, the Final Rule includes a “delay” provision. Registrants can have up to 30 additional days from the regular disclosure deadline if the Attorney General determines that the disclosure would pose a substantial risk to national security or public safety and notifies the SEC of the determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing.
The Final Rule defines a “cybersecurity incident” as an unauthorized occurrence, or a series of related unauthorized occurrences, on or through information systems, that jeopardizes the confidentiality, integrity, or availability of information systems or information on those systems.
The Final Rule will also add an Item 106 to Regulation S-K which will require new disclosures about risk management, strategy and governance. The new disclosures must describe the registrant’s processes for assessing, identifying, and managing material risks from cybersecurity threats. The disclosures must contain enough detail for a reasonable investor to understand, and should include the following information:
- Whether and how any such processes have been integrated into the overall risk management system or processes.
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes.
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
- Whether any risks from cybersecurity threats, including any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, operations, or financial condition and if so, how.
- The board of directors’ oversight of risks from cybersecurity threats. (If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.)
- Management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. This should address the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing the risks, and the relevant expertise of persons or members in such detail to fully describe the nature of the expertise;
- The processes by which the persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether the persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
The Final Rule omits proposed Item 407(j), which would have required disclosure about the cybersecurity expertise, if any, of a registrant’s board members. The SEC decided not to adopt proposed Item 407(j), recognizing that investors can form sound investment decisions based on the information required elsewhere in the Final Rule without the need for specific information regarding board-level expertise.
With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all registrants other than smaller reporting companies must begin complying 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later. Smaller reporting companies must begin complying by the later of 270 days after the date of publication in the Federal Register or June 15, 2024.
The Constangy Cyber Team assists public companies of all sizes and industries with implementing necessary updates to their cybersecurity and compliance programs. If you would like additional information on how to prepare for the SEC’s new Rule on cybersecurity risk management and incident disclosure, please contact us at cyber@constangy.com.
- Partner
Sean is a partner in the Portland office and chair of the national Constangy Cyber Team. His background includes over 25 years of experience with data privacy and information security matters. He is a former cyber attorney for the U.S ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.