The Impact of the SEC’s New Cybersecurity Policies

Introduction

The rapid advancement of technology has led to an increasing number of cybersecurity incidents that pose significant risks to organizations, their stakeholders, and the general public. Recognizing the importance of transparent and timely reporting of such incidents, the U.S. Securities and Exchange Commission (SEC) announced on July 26, 2023, that it has adopted final rules regarding cybersecurity disclosure requirements for public companies. These rules mandate the disclosure of material cybersecurity incidents and information related to cybersecurity risk management, strategy, and governance.

This technical blog post delves into the key aspects of these newly adopted rules and their implications for public companies.

Key Takeaways

- Timely incident reporting: New Item 1.05 of Form 8-K requires reporting of material cybersecurity incidents within four business days, promoting swift transparency. Failure to timely file will not impact Form S-3 eligibility.

- Limited reporting delay for security: Possible delay in disclosure for national security risks with U.S. Attorney General’s approval, up to 120 days with SEC consent.

- Comprehensive incident disclosures: Incomplete Form 8-K data requires acknowledgment and later amendment filing, reducing redundancy.

- Broadened incident definition: Final rules broaden “cybersecurity incident” to include related unauthorized events, for a more holistic view.

- Annual risk reporting (Form 10-K): Beginning with annual reports for fiscal years ending on or after December 15, 2023, Regulation S-K Item 106 mandates yearly reporting on cybersecurity risk, strategy, governance, board oversight - without mandatory disclosure of board members’ expertise.

- Foreign Private Issuers: The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

- Compliance timing: Effective 30 days post Federal Register publication. Timelines will vary according to the size of a company.

Form 8-K: Incident Reporting

The finalized rules introduce a crucial change in the disclosure process through the addition of Item 1.05 to Form 8-K. This new requirement necessitates the reporting of material cybersecurity incidents within four business days from the company’s determination that the incident is material (not the date of discovery of the incident). Although the scope of disclosure in Item 1.05 has been refined, some notable deviations from the proposed rules are evident.

Limited Delay in Reporting

In cases where the disclosure of cybersecurity incidents could potentially jeopardize national security or public safety, a delay in reporting is permissible. However, this delay is subject to the U.S. Attorney General’s determination and cannot extend beyond a specified period, generally capped at 120 days. Such extensions require the SEC’s approval through an exemptive order.

Updated Incident Disclosures

When the required information for the Item 1.05 Form 8-K disclosure is not yet ascertainable or unavailable at the time of filing, the company must acknowledge this fact in the Form 8-K and subsequently file an amendment within four business days after obtaining the missing information. Notably, subsequent periodic filings will not necessitate updates based on this information. 

Aggregation of Incidents

The concept of aggregating cybersecurity incidents is a noteworthy change from the proposed rules. While the requirement to disclose individually immaterial incidents has been omitted, the final rules encompass a broader definition of a cybersecurity incident. According to the SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, this definition encompasses “a series of related unauthorized occurrences,” enabling a more comprehensive overview of the incident-related disclosures.

Form 10-K: Cybersecurity Risk Management, Strategy, and Governance 

Building upon the proposed rules, the finalized rules introduce a new Item 106 to Regulation S-K. This mandates an annual reporting of specific cybersecurity aspects, including risk management, strategy, governance, and the board’s oversight of cybersecurity risks. However, a departure from the initial proposal is that the final rules do not require the disclosure of board members’ cybersecurity expertise.

Effective Date and Compliance Timing

Compliance timelines vary based on the type of disclosure and the size of the reporting company:

• Companies, excluding smaller reporting companies, must comply with Item 1.05 of Form 8-K within 90 days of the adopting release’s publication or by December 18, 2023, whichever is later.
• Smaller reporting companies are granted 270 days from the adopting release’s publication, or until June 24, 2024, to comply with Item 1.05 of Form 8-K.
• For Item 106 of Regulation S-K, all companies must commence compliance with their annual reports for fiscal years ending on or after December 15, 2023. 
• Structured data requirements apply to all companies one year after the initial compliance date for the corresponding disclosure.

Conclusion

The SEC’s new cybersecurity rules mark a significant milestone in enhancing transparency and accountability in the face of growing cybersecurity threats. These rules mandate the timely reporting of material incidents and the provision of comprehensive information about cybersecurity risk management, strategy, and governance.

As companies prepare to comply with these regulations, the landscape of cybersecurity disclosure in the corporate world will undergo transformative changes by promoting informed stakeholders and robust risk management practices.