By a 3-2 vote on July 26, the U.S. Securities and Exchange Commission (SEC) adopted final rules enhancing disclosure requirements regarding public companies’ cybersecurity risk management, strategy, governance and incident reporting. These rules apply to all registrants, including business development companies. The SEC adopted the final rules after receiving more than 150 submissions during the comment period, and streamlined the proposed rules to address concerns that excessive disclosures could lead to greater cybersecurity risk (see our prior alert on the proposed rules).
The final rules require disclosure of “material cybersecurity incidents” in a Form 8-K that must be filed within four business days of determining that the incident is “material.” Companies must determine without “unreasonable delay” following discovery whether an incident is material. Under existing law, this determination is based on whether there is a substantial likelihood that a reasonable investor would consider the information important or whether the information would have significantly altered the total mix of information made available to the investor. A materiality determination is a fact-specific inquiry that weighs the magnitude of the incident in light of total company activity. In making materiality judgments, companies should consider both the qualitative and quantitative effects of an incident, including possible reputational, performance, legal or regulatory repercussions.
The final rules limit the scope of incident-specific information that must be disclosed compared with the initial proposal. Under the final rules, companies are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The proposed rules would have required additional information not limited by materiality. This change shifts the focus away from the details of the incident and toward its impact, which the SEC describes as an effort to address concerns about exacerbating security vulnerabilities by over-disclosure while still providing sufficient information to investors.
The final rules also add a provision to delay the four-business-day disclosure deadline when such disclosure would pose a substantial risk to national security or public safety. The attorney general needs to authorize any extension in writing and has discretion to determine the length of the delay, up to 30 days following the original deadline. Subject to a determination of a continuing substantial risk and written notification to the SEC, the attorney general may allow a second delay of 30 days and, “in extraordinary circumstances,” a third delay of 60 days. Beyond that, the SEC may consider additional requests for an extension if the attorney general indicates it is necessary.
Security incident disclosures are to be set out in Forms 8-K and 6-K beginning either 90 days after publication of the final rules in the Federal Register or on Dec. 18, whichever is later. Any material changes, additions or updates containing information that was unavailable at the time of the initial Form 8-K filing should be disclosed by amending that filing, rather than in Forms 10-Q and 10-K. Foreign private issuers should report incidents on a Form 6-K instead of a Form 8-K.
The final rules also amend Regulation S-K to require annual disclosures describing a company’s cybersecurity risk management and strategy in Forms 10-K and 20-F, including “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”
The SEC lists certain elements that should be included in these disclosures, including whether and how the company has integrated cybersecurity processes into its overall risk management system, whether it engages third parties such as consultants or auditors in connection with such processes, and whether it has processes in place to oversee material risks associated with any third-party service providers. The SEC emphasizes that this is a non-exhaustive list; registrants should disclose whatever information is necessary for a reasonable investor to understand the company’s cybersecurity risk management processes.
Companies must also disclose which persons and committees hold cybersecurity responsibilities, explain the relevant expertise of such persons or committee members, and describe how they monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The final rules also require disclosure of whether such persons or committees report information about cybersecurity risks to the board of directors. A proposal to require disclosure of board members’ cybersecurity expertise does not appear in the final rules.
The final annual reporting rules also reflect changes from the proposed rules, in response to comments that excessive disclosures could compromise cybersecurity measures overall. For example, the final rules use the term “processes” instead of “policies and procedures,” which is intended to avoid requiring disclosure of sensitive details or a lack of written practices, and to include company security practices that may not be documented. The final rules also narrow the scope of cybersecurity processes that must be described to those that address “material” risks.
Companies will also need to disclose in Forms 10-K and 20-F whether any risks from cybersecurity threats, including as a result of prior incidents, have materially affected or are reasonably likely to materially affect the company, “including its business strategy, results of operations, or financial condition and if so, how.” The final rules also narrow the proposed rules by limiting disclosures regarding board cybersecurity oversight to those concerning the board’s role in assessing and managing material risks from cybersecurity threats.
Registrants must provide the disclosures described above, starting with annual reports for fiscal years ending on or after Dec. 15, 2023.
Commissioner Hester Peirce issued a dissent from the rules’ adoption, arguing that the disclosure requirements reflect an excessively expansive view of the SEC’s authority, will impose unnecessary compliance costs and risk forcing companies to offer a “roadmap” to cybercriminals. She also expressed concern that the fast timeline for disclosure could cause companies to provide investors with misleading information about cybersecurity incidents.
The final rules can be found here.