The SEC, by a 3-2 vote, has adopted new rules requiring companies to provide:
- current disclosure on Form 8-K within four business days of determining that a material cybersecurity incident has occurred; and
- disclosure regarding cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.
The new requirements will take effect as early as December 18, 2023, as described more fully below.
New requirements for US domestic issuers
Form 8-K Item 1.05 (Cybersecurity Incidents)
US domestic issuers must disclose, under newly added Form 8-K Item 1.05, within four business days of determining that a material cybersecurity incident has occurred:
- the material aspects of the nature, scope, and timing of the incident; and
- the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.
In complying with these requirements:
- companies must determine the materiality of a cyber incident "without unreasonable delay following discovery";
- the requirement to disclose the "reasonably likely material impact" of the incident imposes an obligation to provide a level of disclosure previously inapplicable to Form 8-K;
- information that is required for the initial Form 8-K Item 1.05 filing but unavailable at the time of filing must be updated via amendment within four business days of becoming available, potentially requiring multiple amendments;
- an untimely filing of Form 8-K Item 1.05 will not affect eligibility for Form S-3 and well-known seasoned issuer (WKSI) status; and
- for a very narrow category of incidents, a national-security exemption permits delayed disclosure for up to 120 days if the US Attorney General notifies the SEC that immediate disclosure would pose a substantial risk to national security, with the possibility of further relief in extraordinary circumstances.
Annual Report on Form 10-K
US domestic issuers must disclose annually in their Form 10-K:
- processes for assessing, identifying, and managing material risks from cybersecurity threats;
- whether any risks from current or previous cybersecurity threats have materially affected or are reasonably likely to materially affect those companies; and
- the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
New Requirements for FPIs
Foreign private issuers (FPIs) must:
- furnish on Form 6-K information on material cybersecurity incidents that they make or are required to disclose in a foreign jurisdiction to any stock exchange or to security holders; and
- disclose in each annual report on Form 20-F information comparable to the annual disclosure requirement for US domestic issuers.
The open-ended triggering event for Form 8-K Item 1.05 raises the stakes for companies' disclosure controls and procedures (DC&P) surrounding Form 8-K compliance.
An earlier enforcement action, predating today's new rule, illustrates the DC&P risk:
- the company disclosed a cyber incident almost immediately after senior executives, including the company's CISO and CIO, became aware of the incident; but
- the SEC found that the company had failed to maintain cyber DC&P because the company's information security personnel had known for months about the unremediated cyber incident but did not inform senior executives.
Changes from the Proposed Rules
The final rules include some significant changes from the original proposal:
- companies must disclose on Form 8-K only material facts about the incident, rather than a prescribed list (e.g., remediation status, data compromise, etc.);
- companies need not disclose technical information about incident response, affected systems, or vulnerabilities if that information would impede remediation of the incident;
- companies need not report multiple incidents that are immaterial individually but material in the aggregate, a vague and difficult-to-apply standard from the proposal;
- instead, companies must consider the cumulative impact of "a series of related occurrences" when making their materiality assessments; and
- the final rule requires annual report disclosure of management-level cybersecurity expertise instead of proxy statement disclosure of directors' cybersecurity expertise.
The new disclosures would be required to be provided in Inline XBRL format, starting one year after the initial compliance date for each respective disclosure requirement.
Compliance with the new rules will be required:
- for Form 8-K and Form 6-K, on December 18, 2023 (for smaller reporting companies, June 15, 2024); and
- for upcoming annual reports on Form 10-K and Form 20-F to be filed in 2024 (for fiscal years ending on or after December 15, 2023).