SEC Adopts New Cybersecurity Disclosure Rules for Public Companies

SECDisclosuresCybersecurityGovernanceRisk Management
Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

SEC Adopts New Cybersecurity Disclosure Rules for Public Companies.  This week, let’s address the U.S. Securities and Exchange Commission’s (SEC) recently adopted rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.  These rules require both registrants and foreign private issuers to provide detailed insights into their cybersecurity incidents and overarching cyber risk strategies. A link to the new rules follows:

https://www.sec.gov/files/rules/final/2023/33-11216.pdf

Key Highlights of the New Rules:

1.     Mandatory Disclosure of Material Cybersecurity Incidents: If a public company experiences a material cybersecurity incident, it will need to report it. The SEC has affirmed that materiality standard is tied to U.S. Supreme Court precedent that defines information as material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” See TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).

2.     Annual Disclosure on Cybersecurity Strategy: Annually, companies must disclose pertinent details about their cybersecurity risk management, strategic approach, and governance mechanisms. There are currently no disclosure requirements on Forms 10-K or 10-Q that explicitly reference cybersecurity risks or governance. Now, Item 106, referenced below, will elicit information about how registrants are managing their material cybersecurity risks.

3.     Uniformity and Comparability: In the SEC’s press release related to the new rules, SEC Chair Gary Gensler highlighted the importance of new rules, stating, “Companies and investors will benefit from a consistent, comparable, and decision-useful way of cybersecurity disclosure.” This shift aims to standardize the information presented to stakeholders, ensuring they have a clear understanding of a company's cybersecurity posture. A link to the SEC’s press release follows:

https://www.sec.gov/news/press-release/2023-139  

Mechanics of the New Rules:

  • ·       Form 8-K (Item 1.05): Companies need to report any material cybersecurity incident here, detailing the incident's nature, range, timing, and potential implications. This is generally due four business days after recognition of the materiality of the cybersecurity incident. If the U.S. Attorney General deems immediate disclosure to be risky for national security or public welfare, however, the release can be postponed.

  • ·       Regulation S-K (Item 106): This regulation will necessitate companies to elucidate their procedures for risk detection, evaluation, and management from cybersecurity threats. This disclosure will include information about a company’s cybersecurity risk assessment program, business continuity, contingency and recovery plan, policies and procedures to oversee, identify, and mitigate the cybersecurity risks associated with its use of service providers (including information about contracting and oversight of such service providers), and more. It will also demand insights into the board of directors’ oversight mechanism and management’s expertise in handling such threats. This information will be incorporated into the annual report on Form 10-K.

  • ·       Foreign Private Issuers (FPIs) have parallel requirements: They should report material cybersecurity incidents on Form 6-K and provide details about their cybersecurity risk management on Form 20-F.

Summary: The new rules themselves contain a chart that summarizes the new requirements on page 12, which we are re-posting in substance:

  • Regulation S-K Item 106(b) – Risk management and strategy: Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

  • Regulation S-K Item 106(c) – Governance: Registrants must:

    • - Describe the board’s oversight of risks from cybersecurity threats.

    • - Describe management’s role in assessing and managing material risks from cybersecurity threats.

    Form 8-K Item 1.05 – Material Cybersecurity Incidents: Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

    • - Nature, scope, and timing; and

    • - Impact or reasonably likely impact.

  • Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.

  • Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

  • Form 20-F: FPIs must:

    • - Describe the board’s oversight of risks from cybersecurity threats.

    • - Describe management’s role in assessing and managing material risks from cybersecurity threats.

  • Form 6-K: FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise.

Effective Dates: The new rules will take effect 30 days after their release in the Federal Register. For annual reports, the requisite disclosures on Form 10-K and Form 20-F will begin for fiscal years ending on or post December 15, 2023. Meanwhile, disclosures on Form 8-K and Form 6-K will start either 90 days post-publication or after December 18, 2023.

Smaller reporting entities will be granted an additional 180 days for Form 8-K compliance.

Lastly, one year after the initial compliance, all disclosures under the new rules must be tagged in Inline eXtensible Business Reporting Language (“Inline XBRL”) to ensure data integrity and coherence,

Our thoughts: In today’s digital age, cybersecurity isn't just a technical concern—it’s a national security issue, and a business and investment priority. The SEC's journey from its proposed amendments to the new rules shows an evolving approach, which overall seeks to encourage cyber hygiene and ensure that public companies maintain transparency about their cybersecurity postures.

As companies navigate these regulations, we believe that they should particularly consider how they are going about making materiality determinations.  We would suggest that there should be a defined process for making such judgments, and it should include a range of individuals – not just the CFO or the finance team, but the CISO, CIO, CTO, and General Counsel and legal team as well.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

CFPB Spotlights the FCRA’s Next Regulatory Frontier: Data Brokers
Next

“Data Provenance”: Navigating Ownership, Authenticity, and Rights in the Digital Age