SEC’s new rules require U.S. public companies to disclose cybersecurity governance and incidents
SEC streamlines governance disclosure, narrows incident disclosure and removes board-level cybersecurity expertise disclosure in final rules
Under new rules adopted by the U.S. Securities and Exchange Commission (the “SEC”), U.S. public companies must soon make annual disclosures about their cybersecurity risk management, strategy and governance, as well as periodic disclosures about material cybersecurity incidents. Foreign private issuers are also subject to the requirements, although their cybersecurity incident reporting will generally be triggered by home country disclosure requirements.
Specifically, the new rules require companies that have a registration statement filed with the SEC (“registrants”) to make disclosures about:
- Risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F, including:
- their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats;
- whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition;
- the board’s oversight of risks from cybersecurity threats;
- management’s role in assessing and managing material risks from cybersecurity threats; and
- Material cybersecurity incidents on Form 6-K and Form 8-K.
These disclosures must also be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”), continuing a trend of the SEC requiring new disclosures to be made in Inline XBRL.
Compliance Dates
The Form 10-K and Form 20-F disclosures are due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 6-K and Form 8-K disclosures are due beginning on the later of 90 days after the date of Federal Register publication or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
All registrants must tag disclosures required under the final rules in Inline XBRL beginning in annual reports for fiscal years ending on or after December 15, 2024; and for Form 6-K and Form 8-K, the later of December 18, 2024, or 465 days after the rules are published in the Federal Register.
Risk management, strategy, and governance disclosure
The SEC's final rules streamline the proposed rules' risk management, strategy and governance disclosure in recognition of concerns that the proposed rules could affect registrants' risk management and strategy decision-making and/or increase their vulnerability to cyberattack. In doing so, the SEC affirmed that the purpose of the rules is to inform investors, and not to influence whether and how companies manage cybersecurity risk.
The final rules amend Regulation S-K (and thus Form 10-K reporting) and Form 20-F to require registrants to:
- Risk management and strategy
- Describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including, but not limited to:
- whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
- whether the registrant engages assessors, consultants, auditors, or other third parties (which do not have to be named) in connection with any such processes; and
- whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
Registrants should also disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.
- Describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including, but not limited to:
- Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
- Governance
- Board of directors – Describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks. The SEC did not add a materiality qualifier to the board disclosure requirement (unlike that for management) because, as the SEC staff asserted, if a board determines to oversee a particular risk, the fact that such oversight is being exercised is material to investors.
- Management – Describe management’s role in assessing and managing a registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, among other things and as applicable:
- whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board.
Cybersecurity incident disclosure
The rules expressly require cybersecurity incident reporting in companies’ annual reports, as well as in Form 6-K and Form 8-K. While many European companies and certain other foreign private issuers will already be subject to incident reporting obligations in their home jurisdiction, this is a first in the United States.
Form 6-K reporting
The new rules amend Form 6-K to add “cybersecurity incidents” as a reporting topic; however, as a technical matter the amendment does not increase a foreign private issuer’s overall disclosure burden since Form 6-K reporting requirements are generally triggered by disclosures a company makes in its home jurisdiction (together, the “home jurisdiction disclosures”).
In other words, Form 6-K disclosure of a cybersecurity incident will be required if a foreign private issuer makes a home jurisdiction disclosure of a cybersecurity incident, and such information is material. For example, in the European Union, the General Data Protection Regulation mandates disclosure of cybersecurity breaches and requires basic cybersecurity risk mitigation measures and governance requirements. However, given the clear importance of the issue to the SEC, foreign private issuers may choose to look to the disclosure requirements of Form 8-K when making judgment calls around when and to what extent they should disclose information about cybersecurity incidents.
A Form 6-K must be filed “promptly” after the material contained in the report is made public, but there is no specific deadline. While some foreign private issuers aggregate their business communications into a single “batch” Form 6-K, material cybersecurity incident disclosure should be furnished on a “prompt” basis the day after disclosure in the home jurisdiction.
Form 8-K reporting
The new rules require U.S. domestic registrants that experience a material cybersecurity incident to file (and not merely furnish) a Form 8-K under new Item 1.05.
Substance of Item 1.05 disclosures
In the final rules, the SEC focused its incident disclosure requirements on the impacts of a material cybersecurity incident rather than the details of the incident itself. New Item 1.05 of Form 8-K requires registrants to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. The SEC noted that a registrant may determine that additional detail is required after conducting its materiality analysis, including discussion of data theft, asset loss, intellectual property loss, reputational damage or business value loss.
A registrant does not have to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail that would impede its response or remediation of the incident.
In a significant change from the proposed rules, the SEC declined to adopt an explicit requirement that periodic disclosure is triggered when a series of previously immaterial cybersecurity incidents become material in the aggregate. However, registrants should bear in mind that the definition of “cybersecurity incident” includes “a series of unrelated unauthorized occurrences.” Consequently, the Form 8-K disclosure requirement may be triggered where a company determines that it has been materially impacted by what may appear to be a series of related cyber intrusions.
Item 1.05 could also result in the disclosure of cybersecurity incidents affecting third parties whose services a registrant uses, because the definition of “cybersecurity incident” encompasses an unauthorized occurrence on electronic information resources that the registrant owns or uses. This raises questions regarding whether a company could obtain the information to make a materiality determination about incidents affecting resources that it uses but does not own as well as whether one company’s materiality determination regarding a cybersecurity incident would trump another’s determination. The SEC specifically declined to provide an exemption from providing disclosures regarding cybersecurity incidents on third-party systems, or a safe harbor for information disclosed about third-party systems.
Timing of Form 8-K filing
Registrants must determine the materiality of a cybersecurity incident “without unreasonable delay following discovery of the incident” and file the Form 8-K within four business days of the materiality determination.
The disclosure may be delayed by up to 30 days if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of its determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through possible exemptive orders.
Companies subject to the Federal Communications Commission’s (“FCC”) rule for notification in the event of breaches of customer proprietary network information may also delay their Item 1.05 disclosure up to seven business days following the notification to the agencies specified in the FCC rule.
Update of Item 1.05 disclosures
The short disclosure deadline could mean that a company does not have all the information required by Item 1.05 when it has to file its Form 8-K reporting the cybersecurity incident. In that case, the company must state in the Form 8-K that the information called for in Item 1.05 is not determined or is unavailable.
The company then must file an amendment to its Form 8-K filing containing the information required by Item 1.05 within four business days after the company, without unreasonable delay, determines such information, or within four business days after such information becomes available.
Companies are not required to update reporting for all new information; rather, they only have to file an amended Form 8-K with respect to any information called for by Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. However, companies may have a duty to correct prior disclosure that the registrant determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made, or a duty to update disclosure that becomes materially inaccurate after it is made (for example, when the original statement is still being relied on by reasonable investors).
Consequences of failure to file Form 8-K
A company’s failure to timely file a Form 8-K that is required solely to report a cybersecurity incident will not affect its eligibility to use Form F-3 or Form S-3 and will not be deemed a violation of Rule 10b-5 under the U.S. Securities Exchange Act of 1934.
Inline XBRL requirement
The new rules also require the periodic and annual cybersecurity disclosures to be tagged in Inline XBRL, which includes block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.
* * *
The SEC’s rules ultimately come down to: (1) governance, (2) risk management and (3) disclosure. Public companies must now be more transparent about their cybersecurity posture, offering investors and stakeholders a comprehensive look into their preparedness against digital threats. Companies should evaluate whether their board of directors and senior management have sufficient visibility into their cybersecurity program to provide the right level of oversight. Cybersecurity risk quantification should now be at the top of the list for key executives and board members. To that end, companies should invest the necessary resources to conduct cybersecurity risk assessments (with a qualified consultant for the technical analysis and counsel for the regulatory mapping) and provide the high-level results of such risk assessments to the C-Suite and board of directors. Supply chain private companies will also need to update their cyber protocols as these requirements will likely be imposed as contractual obligations by public companies to their supply chain. Finally, companies should maintain an incident response plan that addresses the C-Suite and board roles, and those plans must be practiced through tabletop exercises administered by counsel with the technical and legal experience to simulate cyber incidents and assess materiality thresholds through the appropriate legal and investor lens.
From a disclosure perspective, companies should ensure that cybersecurity incident reporting is subject to appropriate disclosure controls and procedures and reviewed and evaluated by the disclosure committee or other responsible body/persons. Management responsible for periodic and annual disclosures will also need to review and evaluate their current cybersecurity disclosures, as one of the aims of the final rules is to increase the sufficiency and consistency, and thereby centralize the disclosure, of cybersecurity strategy, risk management and governance disclosure. Companies should also bear in mind the SEC’s caveat that its 2018 interpretative release on cybersecurity, which covers some topics not implicated by the final rule (such as risk factor disclosure and internal control over financial reporting capturing financial impacts of cybersecurity incidents) is still relevant guidance.
We are working with numerous clients on cyber preparedness, governance, strategy and disclosure together with incident response, and we invite you to reach out to your regular Linklaters contact if you would like to discuss approaches and options.
We will continue to monitor developments in these areas and encourage you to contact us if you have any questions.