The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cybersecurity risk management, strategy, governance, and incidents.
Adopted in July 2023, these new rules come after a lengthy rule-making and public comment process and act as official recognition that the ever-present danger of cybersecurity threats can impact investor decision making.
The highlights: What you need to know
The crux of the new SEC rules is that companies are required to report both material cybersecurity incidents and cybersecurity risk management processes in a standardized way and according to certain timelines. More specifically:
The final rule requires current report disclosures (Item 1.05 in Form 8K or 6-K) within four days of “material” cybersecurity incidents that describe (1) the nature, scope, and timing of the incident and (2) the impact or likely impact of the incident on the registrant, including financial and operational impact.
The final rule requires disclosures in annual reports (Form 10-K or 20-F) that describe (1) the registrant’s process to identify, assess, and manage cybersecurity risks; (2) how risks from cybersecurity threats have materially affected or reasonably likely to materially affect business operations, strategy, or financial conditions; (3) the registrant’s board of directors’ oversight of cybersecurity risks, and (4) management’s role in assessing and managing risks from cybersecurity threats.
The SEC requires companies to report both material cybersecurity incidents and cybersecurity risk management processes in a standardized way.
The final rule became effective on September 5, 2023. The annual cybersecurity disclosure will be required for registrants with fiscal years starting December 15, 2023, and after. The current report disclosure obligation of Item 1.05 begins shortly thereafter on December 18, 2023, although smaller reporting companies have until June 15, 2024. Further, beginning on December 15 and 18, 2024, there are additional requirements regarding the formatting of these annual and current report disclosures, respectively (i.e., formatting these disclosures in Inline XBRL to allow for automated searchability and analysis).
The details: What the rules say
There’s been an incident — what must be disclosed?
The new rules require disclosure of cybersecurity incidents determined to be “material” (more on this below) as well as the nature, scope, and timing of the incident and the reasonably likely impact of the incident on the registrant’s financial condition and operations.
However, unlike previous iterations of the draft rule, there is no requirement to disclose specific or technical information about the registrant’s planned response to the incident or its potential cybersecurity systems vulnerabilities.
How soon must the disclosure be made?
Within four business days! Having four days to disclose a cybersecurity incident in a public filing may seem tight, and it is, but there is more flexibility built into the parameters of the final rule than is apparent.
The four-day clock only begins at the point when the registrant has determined it has experienced a “material” cybersecurity incident, and that materiality determination need only be made “without unreasonable delay.”
As flexible as the standard may be, it does not allow a registrant to stretch an investigation until the incident has been fully remediated in order to delay reporting. A registrant must make the 8-K disclosure with the information available at the time and then later supplement the original disclosures as necessary through an amendment to Item 1.05.