The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and the Securities Act of 1933.
Under the new rule, a public company that suffers a “material cybersecurity incident” will have to file a Form 8-K disclosing the incident within four business days after the company’s materiality determination. Material means it is substantially likely that an investor would consider impact of the incident important in making an investment decision, or if it alters the total mix of available information. In making this determination, companies should consider the total impact of the incident, including both immediate and long-term effects on finances, brand perception, customer relationships, and the like. The SEC acknowledges that evaluating whether an incident is material may take time, but it makes clear that companies should make that determination “without unreasonable delay.”
The SEC further explains that, in the new Item 1.05 of the Form 8-K, the company must disclose the nature, scope, timing, and impact, or reasonable likely impact, of the incident. This includes reporting on the financial and operational impact of an incident. Additionally, to the extent any of the information required in Item 1.05 is not available at the time of initial reporting, companies are required to file an amendment to the Form 8-K containing such required information within four business days after the information becomes available. Though this final rule went into effect on September 5, 2023, the SEC has given most public company registrants until December 18, 2023 to start complying with the rule (smaller reporting companies—companies with revenues or public floats under certain thresholds—will not have to start complying with the incident disclosure requirements until June 15, 2024).
The final rules also amend Regulation S-K, adding a new “Item 106” to companies’ annual 10-K filings. Beginning with fiscal years ending on or after December 15, 2023, public companies must add information about how they assess, identify, and manage their cybersecurity risks to their annual 10-K filing, including management’s role in assessing and managing material cybersecurity risks and the board of directors’ role in overseeing such cybersecurity risks. They must also disclose any cybersecurity incidents that materially affect or are likely to materially affect the company.
Putting It Into Practice: December is not far away. Companies can begin now by reviewing their internal cybersecurity programs and incident response plans to address the four-day requirement and to ensure they have the necessary cybersecurity risk assessment and cybersecurity governance processes in place to include in their upcoming 10-K disclosures.