On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.
The Final Rule substantially adopts the SEC’s March 2022 proposal but includes several changes designed, among other things, to minimize the additional cyber risk the proposed disclosures would have imposed. The Final Rule still, however, reflects an important change. For one thing, it will require an unprecedented level of disclosure into the management of a particular risk. As noted in Commissioner Hester Peirce’s dissent, “Once the SEC can peer into how all public companies handle cybersecurity, the temptation to micromanage their operations will only grow.” Additionally, the Final Rule requires public companies to determine the materiality of an incident “without unreasonable delay,” which may pose significant challenges and risks in the midst of responding to an active incident.
Key Requirements
- Material Cybersecurity Incident Disclosure: Registrants must disclose a material cybersecurity incident, including the material aspects of its nature, scope and timing, and material impact or reasonably likely material impact, through Form 8-K within four business days of a determination of materiality unless they have received a written determination from the U.S. Attorney General that that there is a “substantial risk to national security or public safety.” We expect that such determinations from the Attorney General will be rare. Foreign private issuers (FPIs) also must disclose material cybersecurity incidents in Form 6-K that they disclose or publicize elsewhere.
- The Legal Standard for Materiality Has Not Changed: Notably, the Final Rule has not changed the law of materiality. Materiality is defined in the adopting release as consistent with the definition of materiality under the securities laws, that is, where there is a “substantial likelihood that a reasonable shareholder would consider it important in making an investment decision” or it would have “significantly altered the total mix of information made available.”1 However, the Final Rule states that determinations of materiality must be undertaken “without unreasonable delay,” although the adopting release clarifies that the Final Rule does not specify whether the materiality determination should be performed by the board, a board committee, or one or more officers and that registrants “may establish a policy tasking one or more persons to make the materiality determination.”
- “Related” Immaterial Cybersecurity Incidents: The commission omitted the proposed general aggregation of immaterial cybersecurity incidents for materiality analysis unless they are “related.” The commission emphasized that the term “cybersecurity incident" should be construed broadly and that as defined, it “extends to ‘a series of related unauthorized occurrences’” (emphasis added).
- Cybersecurity Risk Management and Strategy: On Form 10-K or Form 20-F, a registrant must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. In doing so, the registrant must also disclose, as applicable,
- whether and how the described processes have been integrated into the registrant’s overall risk management system or processes
- whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes
- whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider
In addition, registrants must disclose whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.
- Board and Management Governance: On Form 10-K or 20-F, a registrant must describe its board of directors’ oversight of risks from cybersecurity threats, including identifying any board committee or subcommittee responsible for such oversight and describing the processes by which the board or such committee is informed about such risks. Registrants must also describe management’s role and expertise in assessing and managing material risks from cybersecurity threats and address
- whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise
- the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents
- whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors
There is no requirement that the registrant disclose the cybersecurity expertise of any individual director.
Compliance Dates
Requirement |
Compliance Date |
Form 10-K, Item 106 of Regulation S-K Form 20-F, Item 16K |
Beginning with annual reports for fiscal years ending on or after December 15, 2023. For a calendar-year-end company, the 2023 Form 10-K (or Form 20-F) filed in 2024 will need to include the new disclosures. All registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024. |
Form 8-K, Item 1.05 Form 6-K, General Instruction B |
For all registrants other than smaller reporting companies, 90 days after date of publication in the Federal Register or December 18, 2023, whichever is later. Based on typical publication timeframes, we expect compliance to be required on December 18, 2023. Smaller reporting companies must begin compliance 270 days after date of publication in the Federal Register or June 15, 2024, whichever is later. All registrants must begin tagging responsive disclosure in Inline XBRL beginning on December 18, 2024, or 465 days after the date of publication of the Final Rule in the Federal Register, whichever is later. |
Key Action Items for Registrants
- Registrants should develop an understanding of the cybersecurity requirements and concepts in the Final Rule. At a minimum, we urge registrants to carefully review the chart set forth on page 12 of the adopting release as well as the fact sheet published by the commission.
- Registrants should immediately update their incident response plans and other necessary processes to ensure that a timely determination can be made regarding the materiality of cybersecurity incidents and consider specific processes and procedures to evaluate materiality throughout and beyond the lifecycle of an incident response.
- Registrants should review existing cybersecurity risk management, strategy, and governance practices in light of the new cybersecurity disclosure obligations that will affect upcoming annual reports on Forms 10-K and 20-F.
Key Changes From Proposed Rule
- Cybersecurity Incident Reporting:
- Narrowing of the Information Required in a Material Cybersecurity Incident Disclosure: Unlike the proposed rule, the Final Rule does not require a company to include specific or technical information about its planned response or systems, instead requiring a description of “the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.”
- Attorney General Permitted Delay in Reporting: Unlike the proposed rule, the Final Rule provides an exception to reporting material security incidents on Form 8 K when the U.S. Attorney General provides a written determination that disclosure poses a “substantial risk to national security or public safety.” Such exemptions may delay reporting by 30 or 60 days and can be renewed. The national security exception falls far short of the broader and more common exception for law enforcement investigation delay common in most other breach-reporting regimes and, for practical purposes, may be difficult for registrants to obtain before the date when disclosure is required. For instance, registrants often collaborate with several other cybersecurity or law enforcement agencies, such as the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation.
- Narrowed Timing of Required Determinations of Materiality for Cybersecurity Incidents: Compared with the proposed rule, the Final Rule changes the timing requirement for making a materiality determination from “as soon as reasonably practicable” to “without unreasonable delay.” The adopting release includes examples of what could constitute an unreasonable delay, most of which involve leveraging investigative or logistical issues to intentionally delay a materiality determination. However, the Final Rule broadly defines “cybersecurity incident,” and the commission rejected proposals from several commenters to tie the definition to cases of actual harm. Rather, the commission highlighted that a cybersecurity incident that must be disclosed under Form 8-K “[t]ypically … would entail actual harm, though the harm may sometimes be delayed, and a material cybersecurity incident may not result in actual harm in all instances.” The commission further stated that “an accidental occurrence may be a cybersecurity incident under our definition, even if there is no confirmed malicious activity.”
- Exceptions for Breaches of Customer Proprietary Network Information (CPNI) Subject to the Federal Communication Commission (FCC) Breach Reporting Law: The FCC breach notification law requires notification of a CPNI breach within seven days after reasonable determination and further states that entities shall refrain from disclosing the breach publicly until seven days after notification to federal regulators. The SEC states that such entities may delay filing the Form 8-K up to seven business days following notification under the FCC breach reporting rule. The SEC did not include any other exceptions for compliance with other federal or state cybersecurity reporting laws.
- Requiring Updates by Form 8-K Amendment: Unlike the proposed rule, which would have required an update concerning a material cybersecurity incident on a registrant’s 10-Q or 10-K, the SEC will require a registrant to include in its Item 1.05 Form 8-K a statement identifying any required information that is not determined or is unavailable at the time of the required filing and then file an amendment to its Form 8-K “containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.” This will likely lead to a process of several disclosure updates throughout incident lifecycles.
- Risk Management and Strategy, Governance Issues:
- Less Granular Required Disclosures Concerning Risk Management Strategy: The Final Rule revises certain definitions and, in comparison to the proposed rule, pares back certain required disclosures in response to public comments that the required disclosures were too prescriptive. Specifically, the Final Rule requires a description of “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” For instance, the Final Rule’s required enumerated disclosure elements do not include certain paragraphs that were included in the proposed rule, such as prevention and detection activities, continuity and recovery plans, and previous incidents. The Final Rule also removes a list of risk types and adds a materiality qualifier to the requirement to disclose “risks from cybersecurity threats.” Such a materiality requirement was also added to the requirement that a registrant “[d]escribe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats” (emphasis added).
- Removal of the Required Description of How a Board Integrates Cybersecurity Into its Business Strategy, Risk Management, and Financial Oversight and Frequency of Board Discussions on Cybersecurity: The Final Rule would still require registrants to “[d]escribe the board’s oversight of risks from cybersecurity threats” and, if applicable, “identify any board committee or subcommittee responsible” for such oversight “and describe the processes by which the board or such committee is informed about such risks.”
- Removal of Required Disclosure of Cybersecurity Expertise for Boards of Directors: The Final Rule did not adopt the proposed item that would have required disclosure about the cybersecurity expertise of a registrant’s board members, recognizing that the necessary expertise is the responsibility of the officers and that board members can effectively exercise oversight over risk even if they are not experts in the specific risk area.
-
Updates to Definitions From Proposed Rule:
- Cybersecurity Incident: The definition of “cybersecurity incident” was revised to include the phrase “or a series of related unauthorized occurrences” (emphasis added). This is partially in response to the removal of the proposed requirement for companies to disclose a series of immaterial incidents that become material in the aggregate in its 10-Q or 10-K.
Cybersecurity incident means an unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity Threat: This definition was revised to better align with the definition of a cybersecurity incident.
Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant’s information system that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein. - Information Systems: The definition of “information systems” was revised to clarify that it applies only to “electronic” information systems.
Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
- Cybersecurity Incident: The definition of “cybersecurity incident” was revised to include the phrase “or a series of related unauthorized occurrences” (emphasis added). This is partially in response to the removal of the proposed requirement for companies to disclose a series of immaterial incidents that become material in the aggregate in its 10-Q or 10-K.
Key Points of Dissent
The SEC Commissioners approved the Final Rule in a 3–2 vote.
Commissioner Peirce published a dissent acknowledging that the Final Rule is better than the proposal but wrote that it “continues to ignore both the limits to the SEC’s disclosure authority and the best interests of investors.” Among other points of concern, Commissioner Peirce discussed how the Final Rule takes an expansive view of the SEC’s authority and muddies materiality determinations by expressly rejecting financial materiality as the cornerstone consideration for materiality disclosures. Moreover, Commissioner Peirce argued that the Final Rule will continue to put registrants at heightened cyber risk in the midst of responding to an incident by giving threat actors insight into the incident response process. She also criticized how the nonmaterial risk management and governance disclosures veer into managing companies’ cyber defenses and that the overly narrow law enforcement exception does not “defer to other government agencies with overarching mandates to protect national security, public safety, and critical infrastructure.”
Commissioner Mark Uyeda’s dissent hit similar themes, noting that “rather than using a scalpel to fine-tune the principles-based approach of the 2018 Interpretive Release, today’s amendments swing a hammer at the current regime and create new disclosure obligations for cybersecurity matters that do not exist for any other topic.”
Related Upcoming Cybersecurity Rulemaking
The SEC is also expected to finalize, likely in 2023 or 2024, proposed first-time cybersecurity regulations for registered investment advisers and funds and broker-dealers and “Rule 10” entities as well as significantly amended rules for customer information protected under Regulation S-P and for entities operating systems that support key market and trading functions under Regulation SCI (for a detailed analysis and timeline, see Sidley’s blog post).
***
Note that Sidley assisted the Securities Industry and Financial Markets Association in preparing comments submitted to the SEC in connection with the proposed rulemaking.
1 TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.