SEC Issues Final Rules on Cybersecurity Disclosures

On July 26, 2023, in a 3-2 vote, the Securities and Exchange Commission (the ​“SEC”) adopted new rules (the ​“Final Rules”) for public companies that will require disclosures regarding cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance. The Final Rules will dramatically affect the way public companies disclose cyber incidents and matters relating to their cybersecurity oversight.

Additionally, in adopting the new requirements, the SEC confirmed through the Final Rules that the 2018 Interpretive Release and 2011 Staff Guidance remain applicable and should be used to inform potential disclosure obligations relating to cyber incidents that are not specifically addressed in these new requirements.

This client advisory summarizes these new disclosures and offers compliance guidance of the Final Rules which can be found here. The Commission’s Fact Sheet can be found here.

Who Will Be Required to Report

Domestic public companies will be required to report material cybersecurity incidents within four business days (with limited exceptions), effective as early as December of this year, and all public companies will be required to include cybersecurity risk management disclosures in their annual reports beginning with the first Annual Report on Form 10-K or Form 20-F for fiscal years ending on or after December 15, 2023.

New Disclosure Requirements Regarding Cybersecurity Incidents

The Final Rules add new Item 1.05 to Form 8-K, which requires that a registrant that experiences a material cybersecurity incident must report the incident within four business days of when the registrant determines that such an incident is material to the registrant. This determination is to be made ​“without unreasonable delay after discovery of the incident.”

• Material Aspects of the Cyber Incident. The Final Rules require companies to ​“describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” While the Final Rules did not include the proposal to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate, the SEC instead expanded the already broad definition of ​“cybersecurity incident” to capture a series of related occurrences that collectively may have a material impact on a company. This would include when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, each of which may be immaterial.

• Timing Exception. The Final Rules include a limited exception to the four-day reporting requirement if the U.S. Attorney General determines that disclosure poses a ​“substantial risk to national security or public safety” and notifies the SEC in writing.

Annual Cybersecurity Risk Management Disclosure

The Final Rules add new Item 1C to Form 10-K that directs registrants to provide the information required by new Item 106 of Regulation S-K. Companies must describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.

• Description of Cyber Risk Management Processes. The discussion in the Form 10-K should address whether and how the Cyber Risk Management Processes are integrated into overall risk management processes, such as whether the company engages consultants or other third parties in connection with its processes and whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

• Role of Board of Directors. Companies will be required describe the board of directors’ oversight of risks from cybersecurity threats, identify any board committee or subcommittee responsible for such oversight, as well as describe the processes by which the board or any such committee is informed about these risks. This disclosure must be in the Form 10-K, even if it is otherwise already in the proxy statement.

• Role of Management. Companies will be required to describe management’s cybersecurity expertise and its role in assessing and managing material risks from cybersecurity threats. As part of that disclosure, companies must disclose, to the extent applicable, whether and which management positions or committees are charged with managing cybersecurity risks, the processes by which the relevant persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and whether such persons or committees report information about these risks to the board or board committees.

• Disclosure of Cybersecurity Threats. The Final Rules also require disclosure of whether ​“any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition.”

Timing

The SEC has provided that a company must report a cybersecurity incident on Form 8-K within four business days after it determines that the incident is material. The materiality determination must be made ​“without unreasonable delay,” a change from the requirement in the proposal to make the determination ​“as soon as reasonably practicable.” The SEC made this change to address concerns that companies would feel the need to disclose before making a materiality determination and to allow companies to take time to properly evaluate the event.

The SEC’s Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure Rules were officially published in the Federal Register on August 4, 2023 and go into effect on September 5, 2023.

Most companies will need to start making these disclosures by December 18, 2023. Smaller reporting companies must begin making such disclosures on June 15, 2024.

• Unreasonable Delay. The release includes examples of what would constitute ​“unreasonable delay,” such as when a company intentionally delays a committee meeting on the materiality determination past the normal time it takes to convene its members or if a company revises policies and procedures to delay a determination by extending its incident severity assessment deadlines.

• Good Faith Compliance. The SEC notes that if companies adhere to normal internal practices and disclosure controls and procedures, that will suffice to demonstrate good faith compliance.

The Final Rules were published in the Federal Register on August 4 and became effective on September 5. The below chart summarizes the compliance dates, including transition delays that apply to smaller reporting companies:

Compliance Implications for Clients

The Final Rules will likely create significant compliance challenges as well as enforcement risks for public companies.

Companies will need to thoroughly analyze their internal disclosure controls with respect to cybersecurity threats and incidents, reassess their cybersecurity risk management processes and governance practices, and expend substantial effort in drafting their cybersecurity disclosures to minimize such risks. In addition, companies will need to quickly determine cybersecurity incident materiality and make disclosures within four business days of the determination—an aggressive timeline, as compared to most other federal and state breach notification laws. In addition, it will be important for companies to track incident-related required disclosures to include any required updates in amended Form 8-K filings.

Attorneys in Kelley Drye’s Corporate Practice Group are available to assist in navigating and preparing for compliance with these new disclosure rules. For more information, please contact your current Kelley Drye attorney or any member of the Corporate Practice Group.