SEC adopts strict rules on incident disclosure by public companies
The Securities and Exchange Commission (SEC) has adopted new incident disclosure rules that aim to standardize cybersecurity-related disclosures by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
The new rules, which were adopted on July 26, 2023, will soon require SEC registrants to rapidly disclose “material cybersecurity incidents” and annually offer “material information” regarding registrants’ cybersecurity risk management practices.
Historically, the SEC has declared that disclosure practices from public companies are “inconsistent” thus, according to the SEC, “necessitating” the new rules.
Which organizations are impacted by the SEC's new rules?
Public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 as well as foreign private issuers will be impacted by the new disclosure requirements following cybersecurity incidents.
What are the new disclosure requirements for public companies?
Form 8-K – Disclosure of Material Cybersecurity Incidents
The new rules will, in part, require registrants to make a determination “without unreasonable delay” as to whether or not the cybersecurity incident is material. If the incident is determined by the registrant to be material, then the registrant will be required file an Item 1.05 Form 8-K within four (4) business days of the determination unless an exception is granted by the United States Attorney General.
Under the new rules, “Cybersecurity Incident” is defined broadly as an “unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
With respect to the deamination of materiality, the SEC instructs registrants in the new rule to assess the cybersecurity incident through the “lens of the reasonable investor.”
Although the SEC declined to offer a specific definition of “material,” the SEC declares in the new rule that“[W]e expect that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces” and that information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available.”
The materiality analysis, according to the SEC, may involve consideration of both “quantitative factors,” such as finances, and “qualitative factors,” such as brand reputation and customer relationships.
Regulation S-K (Form 10-K) – Annual Disclosure of Cybersecurity Practices
The new rules also add Regulation S-K Item 106, which will, in part, require registrants to describe their processes for “managing material risks from cybersecurity threats,” and disclose whether previous cybersecurity incidents have “materially affected or are reasonably likely to materially affect the registrant.”
Item 106 will also require registrants to describe in annual Form 10-K reports the board of directors “oversight of risks from cybersecurity threats” and “management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
When do the new SEC rules on incident disclosure take effect?
According to the SEC, Form 10-K will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. An exception will be made for “smaller reporting companies” which will have an additional 180 days before they must begin providing the Form 8-K disclosure.