SEC Approves Cybersecurity Disclosure Rules
On July 26, 2023, the SEC approved new disclosure rules1 designed to allow investors to evaluate a registrant’s exposure to cybersecurity risks and incidents, as well as their ability to manage and mitigate them. The new rules apply to public companies, including smaller reporting companies, business development companies, and foreign private issuers (FPIs) that file on Form 20-F, but do not apply to Canadian issuers filing under MJDS (40-F filers), asset-backed issuers, or investment companies registered under the Investment Company Act of 1940.
Although at the time there were no disclosure requirements in Regulations S-K or S-X referring explicitly to cybersecurity risks or incidents, the SEC issued interpretive guidance in each of 2011 and 2018 concerning the application of then-existing disclosure and other requirements under the federal securities laws to cybersecurity risks and incidents in light of their increasing significance.2 Although disclosures of both material cybersecurity incidents and cybersecurity risk management and governance have improved since the issuance of the guidance, the SEC staff has observed that such reporting is inconsistent, may not be timely, and can be difficult to locate, and that investors would benefit from enhanced disclosure regarding these matters.
The following is a summary of the new disclosure requirements, which are described in more detail below.
- Disclosure of Material Cybersecurity Incidents (Form 8-K Item 1.05): Registrants must disclose any cybersecurity incident determined to be material and describe the material aspects of its nature, scope, timing, and impact or reasonably likely impact. The filing must be made within four business days of determining an incident was material. A registrant may delay filing if the United States Attorney General (Attorney General) determines immediate disclosure would pose a substantial risk to national security or public safety. Registrants must amend a prior Item 1.05 Form 8-K to disclose any required information that was not determined or was unavailable at the time of the initial Form 8-K filing.
- Form 6-K: FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
- Risk management and strategy (Regulation S-K Item 106(b)): Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. Disclosure is applicable to Forms 10-K and 20-F.
- Governance (Regulation S-K Item 106(c)): Registrants must describe (1) the board’s oversight of risks from cybersecurity threats and (2) management’s role in assessing and managing material risks from cybersecurity threats. Disclosure is applicable to Forms 10-K and 20-F.
New Item 1.05 of Form 8-K will require a registrant to disclose the following within four business days after determining that it has experienced a material cybersecurity incident (which may be after the date of discovery of the incident): “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” In a departure from the proposal, the final rules do not require disclosure regarding the incident’s remediation status, whether it is ongoing and whether data were compromised. While some incidents may still necessitate discussion of data theft, asset loss, intellectual property loss, reputational damage, or business value loss, registrants will make those determinations as part of their materiality analyses (described below). A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident. Notably, the rules do not exempt registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor is a safe harbor provided for information disclosed about such systems.3 Form 8-K Item 1.05 information will be deemed “filed” and not “furnished.” Untimely filing on Form 8-K under Item 1.05 would not result in loss of Form S-3 eligibility.4
The rules also amend Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on Form 6-K. Thus, for a cybersecurity incident to trigger a disclosure obligation on Form 6-K, the registrant must determine that the incident is material, in addition to meeting the other criteria for required submission of the form.
Materiality determinations must be made without unreasonable delay after discovery of the incident (adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance). Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if it would have “significantly altered the total mix of information made available.”5 Qualitative and quantitative factors should be considered in assessing materiality. For example, harm to a company’s reputation, customer or vendor relationships, or competitiveness, and/or the possibility of litigation or regulatory investigations or actions, may have a reasonably likely material impact on a registrant. A registrant may alert similarly-situated companies, as well as government actors, immediately after discovering an incident and before determining materiality, so long as it does not unreasonably delay its internal processes for determining materiality.
Delayed Incident Reporting
Pursuant to 8-K Item 1.05(c), a registrant may delay making an Item 1.05 Form 8-K filing if the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the SEC of such determination in writing.6 The Department of Justice will notify the affected registrant that communication to the SEC has been made so that the registrant may delay filing its Form 8-K. In addition, if a registrant subject to the Federal Communications Commission (FCC) rules with respect to breaches of customer proprietary network information is required by FCC rules to delay disclosing a data breach, it may delay providing the required Form 8-K disclosure for the applicable forbearance period (upon written notification to the SEC), but in no event for more than seven business days after required notification under such rules has been made.
Updating Incident Disclosure
Updated incident disclosure must be provided in a Form 8-K amendment (rather than in a periodic report as originally proposed). Specifically, if any required information is not determined or is unavailable at the time of the required filing, registrants must include a statement to this effect in the Form 8-K and file a Form 8-K amendment containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available. Registrants are also reminded that they may have a duty to correct prior disclosure that they determine was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made (for example, if the registrant subsequently discovers contradictory information that existed at the time of the initial disclosure) or a duty to update disclosure that becomes materially inaccurate after it is made (for example, when the original statement is still being relied on by reasonable investors). Registrants should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident.
Although the final rules did not adopt the proposals that would have required aggregated disclosure of individually immaterial incidents, the definition of “cybersecurity incident” (described below) extends to “a series of related unauthorized occurrences.” Accordingly, when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, 8-K Item 1.05 may be triggered even if the material impact or reasonably likely material impact of individual incidents are by themselves immaterial.7
Periodic Reporting (Annual Report on Forms 10-K and 20-F)
Risk Management and Strategy
New Regulation S-K Item 106(b)(1) requires a description of the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following items: (1) whether and how the described processes have been integrated into the registrant’s overall risk management system or processes; (2) whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and (3) whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. The foregoing list is non-exclusive; registrants should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.
New Regulation S-K Item 106(b)(2) requires a description of whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition, and if so, how.
New Regulation S-K Item 106(c), which is more streamlined than originally proposed, requires registrants to describe the board of directors’ oversight of risks from cybersecurity threats, and, if applicable, identify any board committee or subcommittee responsible for such oversight and describe the processes by which the board or such committee is informed about such risks. Registrants must also describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive items: (1) whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise (this would typically include disclosure of whether the registrant has a chief information security officer or someone in a comparable position); (2) the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and (3) whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors. Relevant expertise of management may include prior work experience in cybersecurity, any relevant degrees or certifications, or any knowledge, skills, or other background in cybersecurity.
The SEC did not adopt proposed Regulation S-K Item 407(j), which would have required disclosure about the cybersecurity expertise, if any, of a registrant’s board members. They were persuaded that effective cybersecurity processes are designed and administered largely by management, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise.
Item 16K has been added to Annual Reports on Form 20-F to establish disclosure requirements for FPIs that are parallel to those for domestic issuers under Regulation S-K Item 106.
- Cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity threat is any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
- Information systems are electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
- Effective date: 30 days after the date of publication in the Federal Register (Publication Date).
- Annual Disclosure: Beginning with annual reports for fiscal years ending on or after December 15, 2023.
- 8-K Item 1.05/Form 6-K disclosure: (1) all registrants other than smaller reporting companies: 90 days after the Publication Date or December 18, 2023, whichever is later and (2) smaller reporting companies: 270 days after the Publication Date or June 15, 2024, whichever is later.
- XBRL: All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date for such registrant for the related disclosure requirement. Specifically: (1) with respect to Regulation S-K Item 106, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024 and (2) with respect to Form 8-K Item 1.05 and Form 6-K, all registrants must begin tagging responsive disclosure in Inline XBRL beginning 465 days after the Publication Date or December 18, 2024, whichever is later.
Although the final rules as adopted are in some ways more narrow than originally proposed, they will nonetheless require ongoing attention to whether and when a cybersecurity incident has occurred and a prompt and thorough analysis of the materiality of cybersecurity incidents, as well as disclosure of their nature, scope, timing, and impact. In addition, while the cybersecurity processes and personnel of public companies have to date been most visible during incidence response events, public attention on these matters will become heightened due to the scope of risk management, strategy, and governance disclosures that the final rules require. Accordingly, registrants may wish to consider:
- Re-evaluating and updating, as needed, procedures for assessing materiality of cybersecurity incidents and assuring procedures exist for documenting that decision-making process
- Establishing a process for the continuous evaluation of the status of any incident investigation for purposes of complying with the ongoing 8-K reporting requirement imposed by the new regulations
- Revisiting risk management policies, processes, and procedures with respect to cybersecurity risks and up-the-ladder reporting to provide a strong framework in support of the new governance disclosure requirements
- Engaging with outside counsel early in the upcoming annual reporting cycle to build out the necessary 10-K and proxy statement disclosures required by the new regulations
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
The rules were first proposed on March 9, 2022.
Depending on the circumstances, disclosure may be required by both the service provider and the customer, by one but not the other, or by neither. Disclosure should be based on available information (generally, additional inquiries outside of regular channels of communication with third-party service providers and not required by a registrants’ disclosure controls and procedures would be unnecessary).
The rules also amend Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new 8-K Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
Initially, disclosure may be delayed for a time period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided. The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing. Beyond the final 60-day delay, if the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through an exemptive order.
Examples include: (1) where the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material or (2) a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.