Enter to open, tab to navigate, enter to select
SEC Adopts Cybersecurity Risk Management and Incident Disclosure Rules
Practical Law Legal Update w-040-2089 (Approx. 8 pages)
SEC Adopts Cybersecurity Risk Management and Incident Disclosure Rules
by Practical Law Corporate & Securities
| Published on 27 Jul 2023 • USA (National/Federal) |
The SEC adopted new rules to enhance disclosures regarding cybersecurity risk management, strategy, governance, and incidents.
Update: On August 4, 2023, the SEC's cybersecurity disclosure rules were published in the Federal Register. The final rules will become effective September 5, 2023. For updated information on applicable compliance dates, see Compliance Dates.
On July 26, 2023, the SEC adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents. Specifically, the new rules will require reporting companies to:
- Disclose certain information related to material cybersecurity incidents on Form 8-K.
- Include disclosures in annual reports regarding:
- the company's processes for assessing, identifying, and managing material risks from cybersecurity threats; and
- the board of directors' and management's role in overseeing and managing material risks from cybersecurity threats.
- Present the required cybersecurity disclosures in Inline XBRL.
The final rules will become effective September 5, 2023. For information on applicable compliance dates, see Compliance Dates.
Cybersecurity Incident Disclosure
New Item 1.05 of Form 8-K will require reporting companies to disclose certain information related to cybersecurity incidents, as defined in new Item 106(a) of Regulation S-K (see Item 106(a): Definitions), that the company determines to be material, including a description of:
- The material aspects of the nature, scope, and timing of the incident.
- The material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
The SEC notes the final rule's inclusion of "financial condition and results of operations" is not exclusive, and companies should consider both qualitative and quantitative factors in assessing the material impact of an incident. Additional examples of what may constitute a material impact or reasonably likely material impact include:
- Harm to the company's reputation, customer or vendor relationships, or competitiveness.
- The possibility of litigation or regulatory investigations or actions, including actions by state and Federal authorities and non-US authorities.
Instruction 2 to Item 1.05 provides that where information called for in Item 1.05 has not been determined or is unavailable, the company should include a statement to that effect in its filing. Once the company determines that information or it becomes available, the company must file an amendment to its Form 8-K under Item 1.05 providing the information within four business days.
Instruction 4 to Item 1.05 also codifies the SEC's assurance from the proposing release that the company's disclosures do not need to include specific or technical information about its planned incident response or its cybersecurity systems in such detail as would impede its response or remediation of the incident.
Determining Materiality of Cybersecurity Incidents
The trigger for an Item 1.05 Form 8-K will be the date the company determines that a cybersecurity incident is material, not the date of discovery. Companies must file the Form 8-K within four business days of making such a materiality determination. However, Instruction 1 to Item 1.05 makes clear companies must make their materiality determinations about a cybersecurity incident without unreasonable delay. For example, for incidents impacting key systems and information or involving unauthorized access to or exfiltration of large quantities of particularly important data, the company may be able to determine materiality even without complete information about the incident. Additional examples of unreasonable delay provided by the SEC include:
- If the materiality determination is made by a board committee, intentionally deferring the committee's meeting on the determination past the normal time it takes to convene committee members.
- Revising existing incident response policies and procedures in order to support a delayed materiality determination, such as by:
- extending the incident severity assessment deadlines;
- changing the criteria that would require reporting the incident to management or committees responsible for public disclosures; or
- introducing other steps to delay the determination or disclosure.
The standard for materiality will be consistent with existing cases addressing materiality in securities laws. Companies will have to take a well-reasoned, objective approach from a reasonable investor's perspective based on the total mix of information to determine whether the incident is material under the specific circumstances. For more information on determining materiality, see Practice Note, Determining Materiality in Securities Offerings and Corporate Disclosure.
Disclosure Delays Relating to National Security Concerns
Companies will be permitted to delay disclosure in certain limited circumstances. Item 1.05(c) provides that where the US Attorney General determines and notifies the SEC in writing that disclosure required under Item 1.05 would pose a substantial risk to national security or public safety, the company may delay providing the disclosure for a period, specified by the Attorney General, of up to 30 days after disclosure would have otherwise been required. Additional delays are permitted under the rule, but relief extending beyond 90 days after the initial 30-day delay will have to be granted by the SEC through an exemptive order.
In such cases where the Attorney General communicates to the SEC that delayed disclosure is necessary, the Department of Justice will notify the company that such a determination and communication has been made so it can delay filing its Form 8-K.
Form S-3 Eligibility and Exchange Act Liability Safe Harbor
The SEC also amended other rules and forms in connection with the adoption of new Item 1.05 of Form 8-K:
- Form S-3 and Form SF-3 will provide that failure to timely file an Item 1.05 Form 8-K will not result in the loss of eligibility to file Forms S-3 or SF-3 (see Practice Note, Registration Statement: Form S-3: Eligibility Requirements for Form S-3).
- Rules 13a-11(c) and 15d-11(c) under the Exchange Act will include Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
For more information on current Form 8-K filing requirements, see Practice Notes, Form 8-K and Form 8-K Reporting and Filing Deadlines Chart.
Cybersecurity Disclosure in Annual Reports
The SEC adopted new Item 106 of Regulation S-K to require disclosure related to company cybersecurity risk management, strategy, and governance. Item 106 disclosures will be required in the company's annual report on Form 10-K. For more information on Form 10-K, see Practice Note, Form 10-K.
Item 106(a): Definitions
Item 106(a) provides the defined terms for purposes of the rules, including definitions for cybersecurity incident, cybersecurity threat, and information systems. Item 106(a)'s defined terms also apply to new Item 1.05 of Form 8-K discussed above.
Item 106(b): Risk Management and Strategy
Item 106(b)(1) requires companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. Such disclosure must be detailed enough for a reasonable investor to understand those processes and address the following non-exhaustive list of disclosure items, as applicable:
- Whether and how the described processes have been integrated into the company's overall risk management system or processes.
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes.
- Whether the company has processes to oversee and identify material risks from the cybersecurity threats associated with its use of any third-party service provider.
Item 106(b)(2) requires companies to disclose whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.
Item 106(c): Governance
Item 106(c) requires companies to provide disclosures regarding the board of directors' and management's role in overseeing cybersecurity risks. Specifically, companies must:
- Describe the board's oversight of risks from cybersecurity threats and, if applicable, identify any board committee or subcommittee responsible for cybersecurity risk oversight and the processes by which the board or such committee is informed about cybersecurity risks.
- Describe management's role in assessing and managing material risks from cybersecurity threats. The company's description should address, as applicable, the following non-exhaustive list of disclosure items:
- whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- whether such persons or committees report information about such risks to the board or a committee or subcommittee of the board.
Foreign Private Issuers
Since foreign private issuers (FPIs) do not have Form 8-K filing obligations, the SEC amended General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on Form 6-K. The SEC also amended Form 20-F to add Item 16K, which will require FPIs to provide the same type of disclosure as domestic issuers under new Item 106 of Regulation S-K.
For more information on Forms 6-K and 20-F, see Practice Notes, Preparing Form 6-K and Practice Note, Annual Report on Form 20-F. For more information on the reporting obligations of FPIs generally, see Practice Note, Periodic Reporting and Other Disclosure Obligations of Foreign Private Issuers: Overview.
Inline XBRL Formatting
The SEC is requiring that all information specified in Item 1.05 of Form 8-K and Item 106 of Regulation S-K be presented in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. However, the structured data requirements are subject to a one year transition period (see Compliance Dates).
For more information on Inline XBRL, see Practice Note, XBRL Reporting Requirements: Inline XBRL.
Compliance Dates
The SEC adopted a brief transition period before reporting companies must provide the required disclosures. Compliance will be required as follows:
- All companies must provide disclosures required under Item 106 of Regulation S-K and Item 16K of Form 20-F beginning with the first annual reports for fiscal years ending on or after December 15, 2023.
- Other than smaller reporting companies (SRCs), companies must comply with incident disclosure requirements in Item 1.05 of Form 8-K and Form 6-K beginning December 18, 2023.
- SRCs must comply with the incident disclosure requirements beginning June 15, 2024.
- The structured data requirements will apply to disclosures required under the final rules beginning one year after the initial compliance date for the disclosure requirement, which means:
- for Item 106 of Regulation S-K and Item 16K of Form 20-F, all companies must tag responsive disclosure in Inline XBRL beginning with the first annual reports for fiscal years ending on or after December 15, 2024; and
- for Item 1.05 of Form 8-K and Form 6-K, all companies must tag responsive disclosure in Inline XBRL beginning on December 18, 2024.
For information on managing cybersecurity risks, see Practice Notes, Cybersecurity Issues for In-House Counsel and Developing Information Security Policies.