SEC Adopts Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) released proposed rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. On July 26, 2023, the final rules were adopted.

In 2011, and then again in 2018, the SEC provided interpretive guidance for cybersecurity disclosure. However, even as the SEC has observed cybersecurity threats becoming more prevalent and costly for the economy and companies, companies have employed varied disclosure practices regarding cybersecurity, with registrants providing different levels of specificity regarding the nature and significance of cybersecurity risks, as well as the cause, scope, impact and materiality of cybersecurity incidents.

Based on these observations, the SEC came to believe that investors and other capital markets participants need more timely and reliable information related to cybersecurity risk management, strategy and governance practices, as well as incident reporting. The SEC further noted that timely and consistent disclosure about material cybersecurity incidents, as well as greater availability and comparability of disclosure, would better enable investors to assess whether and how companies are managing their cybersecurity risks. Accordingly, the SEC proposed rules were designed to provide “consistent, comparable and decision-useful disclosures” regarding a public company’s cybersecurity risk management, strategy and governance practices, and incident response readiness.

The final rules, following the SEC’s receipt of more than 150 comment letters, narrow the scope of disclosure originally proposed, add a limited delay for disclosures that would pose a substantial risk to national security or public safety, and require certain updated incident disclosures on an amended Form 8-K as opposed to Forms 10-Q and 10-K. The final rules also omit the requirement to disclose individual immaterial incidents that are material in the aggregate; streamline disclosure elements related to risk management, strategy and governance; and do not require disclosure of board-level cybersecurity expertise.

Form 8-K Requirements

The final rules create a new Item 1.05 on Form 8-K, which requires a public company to disclose, following a material cybersecurity incident, the material aspects of the nature, scope and timing of the cybersecurity incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations, which may include harm to a company’s reputation, customer or vendor relationships or competitiveness. The Instructions to Item 1.05 clarify that a registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.

Importantly, the rules do not exempt disclosure of cybersecurity incidents on third-party systems used by the registrant and do not provide a safe harbor for information disclosed relating to third parties. Unlike the proposed rule, the final rules do not require companies to discuss the incident’s remediation status.

A company becomes obligated to file an Item 1.05 Form 8-K within four business days of determining, without unreasonable delay, that the incident is material (i.e., the notification trigger is the determination of incident materiality, not incident occurrence). While the four-business-day deadline for disclosure is the standard, the final rules provide the ability to delay disclosing the incident for an initial 30 days, and in extraordinary circumstances, up to 60 days if the Attorney General of the United States determines that disclosure poses a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

An untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.

The final rules also allow the disclosure of information that is not determined or not readily available at the time of the filing of the initial Form 8-K to be filed in a Form 8-K amendment.

Risk Management and Strategy

The final rules adopt Regulation S-K Item 106(b) requiring registrants to disclose their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. This requirement represents a change from the proposed rule’s call for a discussion of “policies and procedures,” to avoid requiring the disclosure of operational details that threat actors could use, and because the SEC believes the term “processes” encompasses those practices that are not formally codified.

The final rules also require disclosure of:

• whether and how the company’s described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes;
• whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes; and
• whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

Companies also must describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations or financial condition, and if so, how. The disclosures required by new Item 106 will be required in a company’s annual report on Form 10-K, but not in its proxy statement.

Governance

The rules add a new Item 106 to Regulation S-K requiring a description of management and the board’s oversight of cybersecurity risk. The final rules on this topic are less granular than the proposed rule and no longer require companies to disclose whether any members of their boards of directors have cybersecurity expertise.

Board of Directors’ Role

The final rules require companies to:

• describe the board’s oversight of risks from cybersecurity threats;
• if applicable, identify any board committee or subcommittee responsible for such oversight; and
• disclose the processes by which the board or such committee is informed about such risks.

Management’s Role

Registrants must describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats by disclosing the following:

• whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents; and
• whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Companies Affected

The final rules apply to all reporting companies except for asset-backed issuers. While commenters suggested creating an exemption for smaller reporting companies, the SEC declined to add an exemption for smaller reporting companies, noting that the final rules will help reduce some of the costs associated with the proposal for all registrants, including smaller reporting companies. However, as discussed below, the SEC did provide smaller reporting companies additional time to begin complying with the new rules.

Compliance Dates

The final rules are effective for all registrants 30 days after publication in the Federal Register. All registrants, except smaller reporting companies, must comply with the requirements of Item 1.05 of Form 8-K by 90 days after publication, while smaller reporting companies have an additional 180 days (or 270 days from publication) to comply with Item 1.05 of Form 8-K. All registrants must provide disclosure under new Item 106 of Regulation S-K beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.

Implications/Next Steps

As the deadline for reporting requirement approaches, companies should consider the following:

• While the final rules do not require registrants to have a written policy for handling cybersecurity incidents, existing law mandates that registrants maintain disclosure controls and procedures designed to ensure information is timely reported; these procedures must now expressly contemplate cybersecurity incidents. Further, the implementation and maintenance of an incident response and remediation plan is an industry standard practice and is required by certain state laws and federal regulations.
• Companies that have not already done so may want to consider specifically designating cybersecurity as a responsibility of their existing standing board committees or creating a new committee or subcommittee. Board oversight and accountability for cybersecurity is becoming increasingly important in the eyes of regulators generally, and the final rules evidence the SEC’s recognition of this trend.
• Registrants also may want to consider assessing, and formalizing if appropriate, the means by which management monitors, assesses and mitigates cybersecurity risks, as well as how information concerning cybersecurity is reported to the board of directors.
• Companies should be paying special attention to the cybersecurity capabilities and incident response readiness of their key vendors and partners, including with respect to pre-engagement evaluation, the institution of robust contractual protections, and the monitoring and enforcement of such protections. Third-party data breaches continue to proliferate, and the final rules reflect the SEC’s focus not only on the cybersecurity capabilities of its registrants, but also on the third parties that interact with such registrants' systems and data.