SEC Adopts Robust New Cybersecurity Disclosure Rules
In late July 2023, the Securities and Exchange Commission (“SEC”) adopted new rules requiring public companies to disclose cybersecurity incidents and cybersecurity governance policies and practice. The SEC largely adopted its original proposal issued in March 2022, with some modifications applicable to cybersecurity disclosure requirements. The SEC voted to adopt the new rules in a 3-2 vote.
The new disclosure requirements however are effective no later than December 23, 2023, or 90 days after publication in the Federal Register. Small public companies will face an effective date in June 2024.
The new rules include a major change in disclosure requirements. Companies will now be required to file a Form 8-K to disclose material cybersecurity incidents within four (4) business days of the company’s determination of materiality. This is a transformative new rule that requires companies to implement specific disclosure controls.
In addition to this new incident disclosure requirement, companies will be required to include in its annual Form 10-K comprehensive disclosures concerning the company’s management of cybersecurity risks and its governance structure. All public companies will have to include the new disclosure obligations for the close of the fiscal year in 2023.
The new rulesrequire companies to make a determination of materiality without unreasonable delay after discovery of the incident. If a company determines the incident is material, it has only 4 business days to disclose the incident. The SEC’s new rules modified the proposed “trigger” for the determination of materiality to provide additional time to companies after learning of the incident. The SEC noted that companies may not have compete information about a n incident to make a materiality determination and therefore may have to reasonably delay the decision to disclose. The SEC noted, however, that examples of unreasonable delay include deferring committee meetings past the normal time it takes to convene its members.
When companies disclose a material cybersecurity incident, they must disclose the material aspects of the nature, scope and timing of the incident, and the impact on its financial operations. The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor/supplier relationships, and impact of regulatory actions and civil litigation.
As to the technical aspects of a cybersecurity disclosure requirement, companies will retain some discretion as to nature and extent of disclosure of incident response systems, networks or potential vulnerabilities.
The rules define a cybersecurity incident broadly – “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
The final rule also includes a broad definition of “information system” to mean electronic systems “owned or used by” a company, and extends to third party information system.
New 10-K Requirements
Companies will be required to make comprehensive disclosures in their 10-K filings concerning cybersecurity risk management and governance standards, including: (1) integration of risk management process for cybersecurity into enterprise risk management processes; (2) use of consultants, auditors and other parties to assist in this process; (3) oversight and identification of risks stemming from third-party service providers; and (4) previous cybersecurity incidents have materially affected the company’s business and financial conditions.
Companies will be required to disclose the board of directors’ oversight capabilities for cybersecurity risks. In this respect, companies must identify board committees or subcommittee responsible for such oversight and describe the process by which the board or committee monitors cybersecurity risks and procedures for notifying the board of committee for the occurrence of a cybersecurity incident.
The SEC did not adopt a requirement that companies disclose the board’s cybersecurity expertise, although the SEC observed that some amount of board-level experience and perspective should be included as part of any cybersecurity risk management program. Additionally, companies have to describe management’s procedures and practices for assessing and mitigating cybersecurity risks.