After an extensive comment period, the SEC announced on July 26 that it was formally adopting new rules for public companies governing cybersecurity disclosures. The rules had generated significant backlash from public companies, who criticized the new reporting deadlines for data security incidents as well as the mandatory cyber-risk disclosures the Rules mandate.
Adoption of the new cybersecurity rules will create immediate compliance challenges for public companies. For companies whose fiscal year closes on December 31, 2023, the new cyber-risk disclosures will be mandatory for their upcoming annual report filings. The new breach reporting deadlines are likely to trigger a wave of scrutiny for public companies that suffer material security incidents, making it essential for public companies to carefully consider both the content of the risk disclosures as well as the maturity of their information security programs.
What the New SEC Cybersecurity Rules Require
The SEC Cybersecurity Rules strive to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. Public companies subject to the reporting requirements of the Securities Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) cybersecurity incidents, and (2) cybersecurity risk management, strategy, and governance. The rules also significantly expand cyber compliance obligations for registered investment advisers (RIAs), investment companies and broker-dealers.
Beginning with the incident disclosure requirements, the rule amends Form 8-K to require disclosure of material cybersecurity incidents within four days of identifying that a material event has occurred. The definition of “materiality” has not been changed in the new rule, and continues to follow prior SEC guidance in this area. The rule also adds new items to Regulation S-K and Form 20-F that require public companies to provide updated disclosures relating to previously disclosed cybersecurity incidents. Further, these additions will require disclosure when a series of previously undisclosed and individually immaterial incidents become material in the aggregate. Finally, the rule amends Form 6-K to add cybersecurity incidents as a reporting topic.
The four-day reporting deadline is perhaps the most controversial of the new reporting requirements, and generated significant controversy during the comment period. Many commenters questioned whether such a short reporting deadline would impair ongoing FBI investigations, and force companies to make rushed and incomplete public disclosures that will only open the companies up to further second-guessing and potential liability.
Cyber Risk Management
The new rules create a swath of new reporting requirements regarding cybersecurity risk management, strategy, and governance. Specifically, the amendments to Regulation S-K and Form 20-F require a registrant to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats. This includes disclosure of whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation, and how management implements cybersecurity policies, procedures, and strategies. The SEC Rule also requires disclosure concerning whether the company has a chief information security officer (CISO) as well as policies and procedures targeted to identify and manage cyber risk.
RIAs, Investment Companies and Broker-Dealers
The new SEC rules also impose significant new compliance requirements on RIAs, investment companies and broker-dealers. More specifically, the new rules:
- Require RIAs and investment companies to adopt and implement written policies and procedures that are reasonably tailored to address cybersecurity risks, engage in periodic risk assessments, security monitoring and vulnerability management;
- Require RIAs to report “significant cybersecurity incidents” to the SEC within 48 hours of discovery, including incidents related to the adviser or registered funds or private funds managed by the adviser. Unlike reporting by public companies, these reports would be deemed confidential;
- Require broker-dealers, RIAs, and investment companies to implement written policies and procedures for incident response programs, including requiring covered institutions to provide notice within 30 days to affected individuals whose sensitive customer information was accessed or used without authorization.
Timing for Compliance With New Rules
The new cybersecurity rules will become effective 30 days following the publication of the adopting release in the Federal Register.
Companies must begin reporting material cybersecurity incidents on Form 8-K or Form 6-K on the later of 90 days after the publication of the final rules in the Federal Register or December 18, 2023. Smaller reporting companies have an additional 180 days and must begin reporting incidents on the later of 270 days after the date of publication or June 15, 2024. If a company is unsure whether it will qualify as a smaller reporting company, best practice is to assume the effective time for companies other than smaller reporting companies applies.
Once the new rules come into effect, any cybersecurity incident a company deems material must be disclosed on new Item 1.05 of Form 8-K within four days after determining the incident is material — rather than the date the company discovers the incident. The SEC has clarified that the materiality determination must be made “without unreasonable delay” following discovery. A company may delay disclosure for up to 30 days if the U.S. Attorney General notifies the Commission that immediate disclosure may pose a significant risk to public safety or national security, with an additional 60-day delay for extraordinary circumstances.
Companies must annually disclose cybersecurity risk management, strategy, and governance on Form 10-K or 10-F, starting with annual reports for fiscal years ending on or after December 15, 2023. This effective date means companies with calendar-end fiscal years will be among the first to comply with these new disclosure requirements.
Analysis and Recommendations
The newly adopted rules aim to provide more transparency to investors by regulating disclosure requirements concerning a company’s cybersecurity incidents, risk management, strategy and governance. Many companies must undergo a significant effort in the upcoming months to switch from cybersecurity being an operational issue to a board issue. To ensure compliance, boards should carefully consider potential cybersecurity risk procedures and establish strategies for meeting annual disclosure requirements and reporting material incidents within four days.
Given the short turnaround period – particularly for companies filing annual reports for the calendar-end fiscal year – boards must act quickly to implement new disclosure controls and ensure proper disclosure. Companies must hone in on their cybersecurity risk management and governance processes as auditors expand their internal control analysis to pick up the new disclosure rules this fall. Public companies must be particularly mindful to develop additional disclosure controls to ensure timely and accurate reporting of the new disclosure relating to cybersecurity risk management, strategy, and governance, and cybersecurity incidents.
Beyond the accelerated reporting requirements, the SEC’s new cybersecurity procedures pose numerous challenges for public companies, including enhanced regulatory scrutiny, SEC enforcement actions for non-compliance, and shareholder and customer lawsuits. Publicly disclosing incidents can lead to reputational damage and vulnerability to bad actors obtaining potentially sensitive information about a company’s cybersecurity procedures.
We recommend companies work closely with legal counsel experienced in cybersecurity matters and SEC disclosure to implement board cybersecurity training, develop internal reporting mechanisms, assess the materiality of incidents and ensure compliance with the new disclosure rules.