The surge in cybersecurity incidents across industries has heightened concern among investors, senior management and boards of directors as they continue to pose threats to business growth and the international economy. The costs of cybersecurity incidents can be material and potentially catastrophic.
In response to growing concerns, the Securities and Exchange Committee (SEC) developed and proposed rules that clarify current required disclosures of cybersecurity incidents. They also added disclosure requirements for cybersecurity risk management and governance activities. These regulations are complex and warrant deeper exploration. Let’s dive into their implications.
The Final Rule
The disclosure rules were finalized in July 2023. As expected, the final regulations are similar in their purpose and scope to those proposed in March 2022. Key elements of the final rule include:
- Required timely disclosure of all material cybersecurity incidents on form 8-K.
- New annual disclosures regarding processes for cybersecurity risk management and strategy, managing cybersecurity threats and whether any risks from cybersecurity threats have materially affected the company on Form 10-K.
- New annual disclosures regarding the company’s cybersecurity governance, including management and board oversight on Form 10-K.
- New annual disclosures required for foreign private issuers on form 20-F and disclosure of material cybersecurity incidents on form 6-K.
The disclosure rules are focused on domestic issuers only. It covers the compliance timeline, content and timing for disclosing material cybersecurity incidents, and content required for informing cybersecurity risk management, strategy and governance processes annually.
Timeline for Compliance
The cybersecurity disclosure rules become effective 30 days after they are published in the Federal Register. Based on the SEC’s release notes, the compliance timeline is as follows: `
For most public companies, material incident disclosure requirements on Form 8-K start by December 18, 2023 and 90 days after publication in the Federal Register.
Smaller companies are eligible and may file for extension of the 8-K incident disclosure requirements until June 15, 2024 and 270 days after publication in the Federal Register.
All domestic issuers must comply with the new annual disclosure requirements regarding processes in place for
1) cybersecurity risk management and strategy,
2) managing cybersecurity threats,
3) risks from cybersecurity threats that have materially affected the company, and,
4) the company’s cybersecurity governance.
Disclosure Rules for Material Cybersecurity Incidents
In the final rule, cybersecurity incidents must be disclosed on Form 8-K and filed with the SEC. The cybersecurity incident disclosure requirements address the content and timeliness of reporting to shareholders. The SEC is now focused on the impact, not the incident’s details. Disclosure of the incident should include the material aspects of the nature, scope and timing of the incident, as well as the material impact or likely material impacts to the company.
When determining materiality, companies must consider qualitative and quantitative factors such as reputation risk, customer or vendor relationship risks, potential litigation and regulatory actions—the key to determining whether a reasonable investor would consider the incident’s impact material.
Disclosure requirements are not exempt from disclosure incidents that occur on third-party systems. This is in consideration of the reliance many companies place on cloud computing.
In addition, any subsequent information that was either unavailable or not yet determined during the initial required filing should subsequently be disclosed through amended Form 8-Ks within a span of four business days after the company, without unreasonable delay, determines such information, or within four business days of its availability.
All material incidents must be disclosed within four days of the incident being determined as material. This does not mean companies can take their time to make such a determination. The SEC emphasizes that although a company may not have complete information regarding the incident, there may be enough information to make a determination. For example, unauthorized access or exfiltration of customer records would be enough to determine without unreasonable delay. To further clarify, the SEC provides examples like the below that should not delay the determination of materiality:
- The company cannot determine the full extent of an incident because of the nature of the incident or the company’s systems.
- The need for continued investigation regarding the incident.
- It is intentionally deferring a board or committee’s meeting on the materiality determination past the average time it takes to convene its members.
- Revising the existing incident response policies and procedures to:
- Delay timing of the materiality determination.
- Delay disclosure of an ongoing cybersecurity event by extending the incident severity assessment deadlines, changing the criteria requiring reporting an incident or introducing other steps to delay the determination or disclosure.
The SEC has allowed for some delays in filing the 8-K disclosure of the incident based on a narrow criterion. Specifically, filing may be delayed if the Attorney General (AG) determines the exposure poses a substantial risk to national security or public safety.
To delay disclosure, the AG must notify the SEC (and the company) of such a determination in writing. Disclosure may be delayed for up to 30 days following the date when the exposure would have been required to be provided. Moreover, the delay may be extended for up to 30 days if the AG determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC (and company) of such a determination in writing.
Disclosure Rules for Cybersecurity Risk Management and Governance
In addition to disclosing material cybersecurity incidents, companies are obligated to report their approach to implementing cybersecurity risk management and governance procedures.
Companies must disclose annually as part of filing Form 10-K.
Content – Cybersecurity Risk Management and Governance
The final rule requires a description of the company’s processes for identifying, assessing and managing material risks resulting from cybersecurity threats in sufficient detail so that a reasonable investor can understand those processes. At a minimum, the expectation is that a company has a risk management program that identifies potential cybersecurity risks and has procedures in place to assess, identify and manage material cybersecurity threats. The disclosure requirements include:
- Whether and how the described cybersecurity processes have been integrated into the company’s overall risk management system or processes.
- Whether the company engages assessors, consultants, auditors or other third parties in connection with such processes.
- Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with using any third-party service provider.
- Whether any risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations or financial condition, and if so, how.
In the final rule, the SEC retracted their initial disclosure proposal, opting for a less detailed approach. However, the purpose of the disclosure requirements is to help current and future shareholders make informed investment decisions by understanding the nature and extent to which companies have addressed cybersecurity risk management. As a result, companies must disclose:
- The board’s oversight of risks from cybersecurity threats.
- Any board committee or subcommittee responsible for such oversight.
- The processes by which the board or committee is informed about such risks.
- (Optional/depending on context) Some registrants’ descriptions of the processes by which their board or relevant committee is informed about cybersecurity risks which may include a discussion of frequency.
Companies must also describe management’s role in assessing and managing material risks from cybersecurity threats, including:
- Whether and which management positions or committees are responsible for assessing and managing such risks.
- The relevant expertise of such managers or committee members with enough detail to fully describe the nature of their expertise.
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
- Whether such management or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Preparing for Compliance
Companies must ensure that they have processes in place to:
1) Assess the material impact of a cybersecurity event and document with sufficient detail needed to meet the final rule’s content requirements
2) Verify the adequacy of their cybersecurity risk management and governance processes to meet the requirements noted above.
For cybersecurity incident disclosure, for example, companies need to update their incident response procedures and playbooks to include:
- Documentation of how the material impact of a cybersecurity event is determined.
- Guidance regarding the timing needed to define material implications (i.e., “without unreasonable delay”).
The members and roles of the cross-functional team for each cybersecurity incident decide the material impact, define the content to be disclosed and is accountable for meeting the four-day period on disclosure of material incidents.
Companies must review their cybersecurity risk management and governance activities to identify gaps based on the disclosure requirements. For example:
- Consideration should be given to formalizing current cybersecurity activities into policies and procedures.
- Regular communication should be established with the board on cybersecurity risks and the effectiveness of controls to prevent, detect, mitigate and remediate cybersecurity incidents.
- Regular security and control assessments should be performed using internal or external assessors with appropriate cybersecurity expertise.
- Ensure that management responsible for cybersecurity has the appropriate experience and expertise.
There’s limited time for remediation activities. Large companies must disclose material cybersecurity incidents by December 18, 2023 and 90 days after publication in the Federal Register. As a priority, companies should review and improve the management processes and controls in place to ensure proper disclosure of material cybersecurity incidents as needed. It would be reasonable to expect filers to be required on December 31, 2023, to demonstrate that these disclosure controls are in place as part of a 2023 annual external audit. For small, the disclosure requirements are due in 2024.
All companies will need to comply with the annual disclosure of cybersecurity risk management and governance processes in their annual 10-K filing. For large companies, exposure could be as early as their 2023 10-K for December 31, 2023 filers and be included in the scope of the 2023 external audit.
If you need help to comply with the new cybersecurity disclosure rules, Sikich has the expertise to evaluate, recommend and define solutions to help meet these requirements. If you would like more information or have questions, please reach out to Earl Potjeau or contact us here.