SEC MANDATES NEW CYBERSECURITY DISCLOSURES
On July 26, 2023, the SEC adopted final rules that require public companies to promptly disclose material cybersecurity incidents on Form 8-K and detailed information regarding their cybersecurity risk management and governance on an annual basis on Form 10-K.
Foreign private issuers (FPIs) will need to disclose in their Form 20-Fs the same information about cybersecurity risk management and governance as U.S. domestic companies, but FPIs will only be required to report material cybersecurity incidents on Form 6-K when they decide to publicly report those incidents or are required to do so under home country rules.
In this client alert, we summarize the new cybersecurity disclosures required by the final rules and highlight where there are meaningful changes from the SEC’s proposed rules from March 2022. We also offer some suggestions for what companies can do to prepare for compliance with the new requirements.
Cybersecurity Incident Reporting on Form 8-K
Companies will be required to report on Form 8-K (under new Item 1.05) any cybersecurity incident they determine to be material within four business days of making that determination. Below we discuss what constitutes a reportable cybersecurity incident, what must be disclosed in a Form 8-K disclosing an incident, when that Form 8-K must be filed, and the requirement to update a Form 8-K as more information about the incident becomes available.
- Reportable Cybersecurity Incidents. The final rules contain a broad definition of reportable cybersecurity incidents.
- General. Under the final rules, “cybersecurity incident” is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of the company’s information systems or any information residing therein. In the adopting release, the SEC emphasized that the term “cybersecurity incident” is intended to be construed broadly. The definition also refers to “a series of related unauthorized occurrences,” which is designed to capture cyberattacks that compound over time, as we discuss further below.
- Third-Party Service Providers. The SEC expressly declined to limit the relevant “information systems” to those owned, operated or controlled by the company, and instead adopted a definition that includes any electronic information resources owned or “used” by the company, which captures information resources owned or operated by third parties and used by the company, such as systems operated by cloud services providers. Incidents at a third-party service provider that a company knows about or has been informed of could therefore trigger a Form 8-K filing if the incident is determined to be material to the company. The SEC acknowledged that companies may have reduced visibility into third-party systems and clarified that the final rules do not require companies to conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with the company’s disclosure controls and procedures.
- Content of Form 8-K. An Item 1.05 Form 8-K will be required to contain certain information about the incident and its impact on the company.
- Incident. The Form 8-K must describe the material aspects of the nature, scope, and timing of the incident. The disclosures are focused on the impact of a material cybersecurity incident, rather than on requiring details regarding the incident itself. The proposed rules would have required disclosure of the date of the discovery of the incident, the remediation status, whether it is ongoing, and whether data was compromised. The SEC stated that companies do not need to disclose specific or technical information about their planned responses to the incident or their cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the company’s response to or remediation of the incident.
- Impact. The Form 8-K must describe the incident’s material impact or reasonably likely material impact on the company, including its financial condition and results of operations. The SEC recommended that companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident, listing harm to a company’s reputation, customer or vendor relationships, or competitiveness as examples. Similarly, SEC indicated that the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact.
If any required information about the incident or its impact is not yet determined or is unavailable at the required time of the filing, the company must include a statement to this effect in the Form 8-K and file an amendment to the Form 8-K when that information becomes available, as described below.
- Timing of Form 8-K. Companies must determine the materiality of a cybersecurity incident without unreasonable delay following its discovery and, if the incident is determined to be material, file an Item 1.05 Form 8-K generally within four business days of such a determination. Importantly, an untimely filing of an Item 1.05 Form 8-K will not result in loss of Form S-3 eligibility.
- Materiality Determination Does Not Need to be Rushed. In a departure from the proposed rules, a company must make its materiality determination after it has discovered a cybersecurity incident “without unreasonable delay” (rather than “as soon as reasonably practicable”). In softening the timing requirement for the materiality determination, the SEC acknowledged that materiality determinations necessitate an informed and deliberative process that need not be rushed prematurely. It also expressly recognized that a decision to share information with other companies or government actors does not in itself necessarily constitute a determination of materiality. These statements by the SEC are important changes from the proposed rules that we anticipate may provide companies with more time to appropriately assess the nature and extent of a cybersecurity incident and its materiality, rather than, as may have been required by the proposed rules, rush to make a determination in an effort to avoid questions as to whether an earlier determination was undertaken as soon as practicable.
- No Unreasonable Delay. While recognizing the need for an informed and deliberative process, the SEC cautioned against unreasonably delaying the determination of an incident’s materiality in an effort to avoid timely disclosure. Among other things, the SEC highlighted that a company may not have complete information about the incident and may continue to investigate it but may already know enough to determine whether the incident was material. Examples of what the SEC considers unreasonable delay include intentionally deferring a committee’s meeting on the materiality determination or revising existing incident response policies and procedures in order to support a delayed materiality determination or disclosure, such as by extending assessment deadlines or changing the criteria for reporting an incident to management.
- Incident Must be Reported Even if Other Laws Would Permit Delaying Notification. As a general rule, the new disclosure requirement will operate independently of other regulatory regimes for the reporting of cybersecurity incidents. The SEC found that the incident reporting it has mandated neither directly conflicts with nor impedes the purposes of other federal laws and regulations, with only limited exceptions described below. As a result, companies may be required to report cybersecurity incidents where state law would excuse or delay notification of government agencies or affected customers or individuals. In addition, companies will not be permitted to delay disclosure at the request of law enforcement authorities who may be concerned that public disclosure could impede an ongoing investigation.
- Only Two Exceptions. The final rules contain only two exceptions that allow for delayed Form 8-K disclosure:
- The disclosure may be delayed if the U.S. Attorney General determines that timely disclosure would pose a substantial risk to national security or public safety, a circumstance which we expect to be rare.
- Companies subject to the FCC’s rule for notification in the event of breaches of customer proprietary network information may delay making the required Form 8-K disclosure during the period when this FCC rule prohibits them from notifying customers or disclosing the breach publicly (which runs until seven business days following notification of the U.S. Secret Service and FBI), provided they provide timely written notice to the SEC.
- Materiality Analysis. The new rules themselves do not contain any cyber-specific materiality tests, but the SEC provided guidance on how companies should consider their materiality determination.
- General Materiality Standard. The SEC reiterated its expectation that companies will apply the well-known “reasonable investor” materiality standard in determining the materiality of a cybersecurity incident. Under that standard, information is material when there is a substantial likelihood that a reasonable investor would have considered it important in making an investment decision, or when it significantly changes the total mix of information made available.
- Relevant Factors for Company-Specific Analysis. When a company experiences a cybersecurity incident, the SEC indicated that the company should consider as part of its materiality analysis both the immediate fallout and any longer-term effects, including on its operations, finances, brand, reputation and customer relationships. The SEC also noted that the same incident that affects multiple companies may not become reportable at the same time, and it may be reportable for some companies but not others.
- Qualitative Approach. The SEC highlighted that a lack of quantifiable harm does not necessarily mean that an incident is not material. Examples provided by the SEC included incidents that cause unquantifiable reputational harm and where the theft of information that may not be material based on quantitative financial measures alone but may in fact be material given the impact from the harm to individuals, customers, or other third parties.
- Aggregation of Related Incidents. As described above, the definition of “cybersecurity incident” extends to “a series of related unauthorized occurrences” and is intended to be construed broadly. Examples suggested by the SEC of incidents that may be “related” and material in the aggregate are: where the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company that collectively are quantitatively or qualitatively material; and a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially. The SEC did not adopt a provision would have required disclosure in a Form 10-K or 10-Q when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.
- Updating Initial Incident Reports. Companies are required to identify in the initial 8-K any information not yet determined or that is unavailable at the time, and then to file an amended Form 8-K containing such information within four business days after the company, without unreasonable delay, determines such information or within four business days after such information becomes available. Other than with respect to such previously undetermined or unavailable information, the final rules do not separately create a duty to update the information disclosed in the initial Form 8-K, although the SEC reminded companies of general principles that may require corrective disclosure after the initial Form 8-K filing. It is unclear how the updating Form 8-K amendment requirement will operate in practice as, given the nature of cybersecurity incidents, it is likely that many companies will have information that is not determined or unavailable at the time of the initial Form 8-K disclosure. The SEC did not adopt a provision in the rule proposal that would have required companies to provide updated information in a subsequent Form 10-K or 10-Q about a cybersecurity incident originally reported in a Form 8-K.
Annual Disclosure of Cybersecurity Processes and Governance in Form 10-K
In addition to incident reporting, the new rules will require companies to provide the following disclosure in their Form 10-Ks regarding their cybersecurity processes and governance.
- Processes. New Item 106 of Regulation S-K will require companies to describe their processes, if any, for identifying, assessing and managing material risks from cybersecurity threats, in sufficient detail for a reasonable investor to understand those processes. When describing cybersecurity risk processes, companies should disclose whether and how any such processes have been integrated into their overall risk management systems or processes, whether they engage consultants or other third parties in connection with such processes, and whether they have processes to oversee and identify such risks from cybersecurity threats associated with the use of third-party service providers. Unlike the proposed rules, however, the final rules will not require a detailed discussion of a company’s prevention and detection activities, continuity and recovery plans, or corrective actions taken as a result of prior cybersecurity incidents.
- Effect of Cybersecurity Threats. Somewhat buried among the provisions about cybersecurity risk management and governance disclosures, Item 106 also contains a provision that requires companies to describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and if so, how.
- Governance. Item 106 will further require companies to disclose the role of the board and management in cybersecurity governance.
- Board Oversight. Item 106 will require companies to describe the board of directors’ oversight of risks from cybersecurity threats and, if applicable, any board committee or subcommittee responsible for cybersecurity oversight and describe the processes by which the board or such committee is informed about such risks. The SEC decided not to mandate disclosure about the cybersecurity expertise, if any, of directors, and removed the proposed requirement to disclose the frequency of board or committee discussions on cybersecurity.
- Management Role. Item 106 will require companies to describe management’s role in assessing and managing a company’s material risks from cybersecurity threats, which should include disclosure of the members of management responsible for managing cybersecurity risks, their relevant expertise, the processes management uses to become informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and whether management reports this information to the board or a cybersecurity risk committee of the board.
Foreign Private Issuers
The requirements created by the final rules for FPIs differ from those for U.S. domestic companies when it comes to incident reporting but are substantially identical with respect to the annual disclosures about cybersecurity risk management processes and governance.
- Incident Reporting. For FPIs, the new rules do not create a standalone U.S. disclosure trigger for cybersecurity incidents. Form 6-K will be amended to specifically reference material cybersecurity incidents, but just as with other matters referred to in Form 6-K, FPIs will only be required to furnish on Form 6-K whatever information about the incident the FPI makes or is required to make public under the laws of its home jurisdiction, the rules of any stock exchange where its securities are traded or otherwise by providing the information to its security holders. Therefore, absent mandatory or voluntary disclosure of the cybersecurity incident under applicable home country rules, the new rules will not require an FPI to report the incident on Form 6-K. It is possible, however, that some FPIs may look to the incident reporting rules for domestic issuers for guidance on when to disclose cybersecurity incidents voluntarily.
- Process and Governance Disclosures. The new rules will, however, require FPIs in their Form 20-F to include the same cybersecurity risk management and governance disclosures described above as required by U.S. domestic companies on Form 10-K.
Canadian companies filing on Form 40-F will not be required to comply with the governance disclosures mandated by the final rules but will continue to have Canadian cybersecurity disclosure requirements reflected in Form 40-F filings.
The final rules will become effective 30 days following the publication of the adopting release in the Federal Register. We expect that this publication will occur over the course of the next few weeks. The SEC established the following compliance dates for the new incident reports and the annual disclosure about cybersecurity risk management and governance and for the corresponding XBRL tagging of the information.
- Incident Reports on Form 8-K/6-K. Companies must begin complying with the incident reporting requirements on Form 8-K on the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with incident reporting on Item 1.05 Form 8-K on the later of 270 days from the effective date of the rules or June 15, 2024. The same compliance date applies to the added reference to cybersecurity incidents in Form 6-K but, as noted above, this reference does not result in a standalone U.S. reporting trigger for cybersecurity incidents.
- Annual Form 10-K/20-F Disclosures About Risk Management and Governance. Companies must provide such disclosures beginning with Form 10-K or 20-F for fiscal years ending on or after December 15, 2023. For calendar year filers, this means that these periodic disclosures will be required for the first time in the Form 10-K or 20-F for fiscal year 2023, filed in calendar year 2024.
- XBRL. Tagging is required for all of these disclosures (other than FPI incident reports on Form 6-K). All companies must tag disclosures required under the final rules using Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
What Companies Should Do Now
Prepare for Incident Reporting
One of the most challenging requirements of the new rules is the four-business day reporting deadline, which will have several implications, including the following:
- Incident Response Plans. Companies should update their cybersecurity incident response plans to incorporate this new reporting obligation and have clearly delineated how, when, and who is responsible for determining whether an incident, either on its own or when aggregated with related incidents, is material and therefore must be disclosed.
- Disclosure Controls. Companies should ensure that their disclosure committees, or those individuals responsible for making materiality and disclosure decisions, are directly connected to those individuals in the company who are responsible for evaluating and reporting of the occurrence of a cybersecurity incident. In that regard, companies should review the escalation procedures within their information security teams that relate to identifying when cybersecurity incidents occur. After the occurrence of a cybersecurity incident, these lines of communication should be enhanced to ensure more frequent updating of the appropriate individuals at the company and a reassessment of the status, scope and severity of an incident so that timely materiality assessments can be made as new information becomes available and that any updating disclosures are made in a timely manner.
- Record Keeping. In light of the strict four-business day deadline for filing the incident report Form 8-K, companies should carefully document the date on which they determine that an incident is material and the process undertaken to make this determination. This includes recording when those individuals responsible for making materiality and disclosure decisions, executives and directors were initially advised of the incident and when they were updated. Companies should be able to prepare the timeline from incident discovery to materiality determination, along with related internal communications, so that they are able to document that they made their materiality determination without unreasonable delay and, if applicable, the appropriate disclosures within the required timeframe. Companies should take all necessary steps to adequately protect the privilege of these communications.
- No Exceptions to the Four-Day Trigger. Companies should also be mindful that the four-business day disclosure deadline operates independently of any other provisions of law (such as state or local data protection laws) that may permit or mandate a delay in notifying the public about material cybersecurity incidents. Therefore, companies should consider how the timing of potential SEC-required disclosures may impact, and potentially accelerate, their existing regulatory or contractual obligations.
- Effect of Required Public Disclosure. This potential acceleration of public disclosure of an ongoing incident may raise its own challenges, because the company will be faced with questions from investors, regulators or customers before full information about the incident is available. Being forced to go public with the discovery of a cyber-attack could also affect containment or remediation efforts, and companies’ information security teams and their external advisers will need to be mindful of that.
- Cybersecurity Risk Identification and Assessment Must Include Third-Party Providers. In light of the SEC’s decision to include cybersecurity incidents at third-party providers, such as cloud service providers, within the types of incidents that must be reported if they are determined to be material for a company, companies will need to ensure that any information they receive about third-party incidents is directed into the company’s own materiality determination and disclosure process in same manner as incidents involving the company’s own systems. Waiting to see whether the third party discloses the incident, is not a substitute for an independent company-focused materiality determination. The SEC expressly noted that an incident that occurs on a third-party system may have to be disclosed by both the service provider and the customer, or by one but not the other, or by neither, depending on the circumstances. This could, for example, force companies to disclose an incident occurring at a service provider that the service provider itself has not yet publicly disclosed. Companies may want to consider revising third-party contracts to expressly address any liability arising from the required disclosures (e.g., that the company can file an Item 1.05 Item Form 8-K and is not liable to a third-party provider for doing so).
- Tracking Minor Cybersecurity Incidents for Potential Aggregation. Companies should advise their information security teams of the importance to track minor cybersecurity incidents so an assessment can be made as to whether they are “related” under relevant SEC guidance and therefore need to be aggregated in the company’s materiality determination with a view to potential public disclosure.
Review Cybersecurity Risk Management and Governance
While the SEC’s final rules do not prescribe any particular substantive standards for companies’ internal processes and governance with respect to cybersecurity, the new comprehensive disclosure requirements will likely result in companies describing robust cybersecurity risk identification, assessment and management processes and governance, including an appropriate level of board engagement on cybersecurity matters. Many companies already include certain of these disclosures in their proxy statements as part of their risk management disclosures, but these are often focused on the role of the board. As these new disclosures are likely to be a means of comparison for assessments of the quality of cybersecurity incident preparedness within and across industries, companies will want to review and, where necessary, enhance their existing practices and policies with a view to their public disclosure in future Form 10-Ks or 20-Fs. Companies should consider which practices should now be documented to provide the appropriate compliance rigor and to demonstrate the formalization of these processes within the organization.