By Megan Penick and Jia Song
Last week, new cybersecurity rules were adopted by the Securities and Exchange Commission that directly impact public companies, including foreign private issuers (FPIs), requiring them to make certain disclosures about cybersecurity incidents, risk management, strategy and governance. Taken together, the SEC’s new rules markedly expand upon the federal agency’s current cybersecurity disclosure mandates.
Disclosure on Current Report
The final rule requires public companies to disclose material cybersecurity incidents within four business days on a Current Report on Form 8-K under a new Item 1.05 (Form 6-K for FPIs). Pursuant to Item 1.05, public companies must disclose any cybersecurity incidents they experience that are determined to be material and describe their (1) nature, scope and timing and (2) the expected impact or reasonably likely impact of the incidents upon the companies, their financial condition and results of operations.
A disclosure under Item 1.05 of Form 8-K will need to be filed within four business days after a company has determined an incident to be material in nature. As reporting on cybersecurity breaches can be difficult—because the severity or extent of a breach may not be clear until after significant internal investigation—the SEC has also adopted a rule that requires companies to amend their original Item 1.05 disclosures when and as additional information material to a given breach (or breaches, if there is more than one that is deemed related) is discovered. The SEC has indicated that in order to make cybersecurity incident disclosures clear and easy to find by investors, it was preferred that a Form 8-K disclosing the breach be amended for further disclosures, as opposed to companies simply reporting additional findings in their periodic reports on Forms 10-Q or 10-K.
Disclosure on Annual Report
In addition, the final rule compels public companies to disclose material information regarding their cybersecurity risk management, strategies and governance on their annual reports on Form 10-K (Form 20-F for FPIs)—this by adding a new Item 1C to Part I of the Form 10-K. Item 1C requires registrants to furnish the information required by Item 106 of Regulation S-K (Item 106). Item 106(b) requires registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Board of directors’ oversight of risks from cybersecurity threats and managements’ role and expertise in assessing and managing material risks from cybersecurity threats are also mandated pursuant to Item 106(c).
Effective Timeline
The final rule will become effective 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023, while the due date for the Form 8-K and Form 6-K disclosures will be the later of 90 days after the date of publication in the Federal Register or December 18, 2023. For their part, smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
Practical Guidance
Historically, many companies have been slow to disclose hacking or other cybersecurity incidents, fearing that disclosure could expose them to further risks and hamper their ability to assess and secure their data and systems. As a result, many of these incidents have not been reported until long after they occurred. However, as more and more companies have been affected by cyber criminals and data breaches in recent years, a need for prompt and effective disclosure has been seen by many as increasingly necessary. This is particularly the case because many companies rely on third parties to handle data storage and data management, and customers and investors need to be able to assess their own risk and exposure as a result of such incidents. The SEC’s new disclosure mandate is designed to do just that.
To decide whether an event qualifies as a material incident requiring SEC reporting is a practical issue. Companies should consult with their securities counsel to determine whether an incident is material in nature and, accordingly, whether it will need to be disclosed in a Current Report on Form 8-K. Further, companies, along with their legal counsel and financial advisors, need to value the size, nature and /or reputation or financial harms such incidents may cause, as well as other factors to determine materiality.
Of course, the public securities and cybersecurity pros at Michelman & Robinson, LLP are available to provide more detail and answer any questions you may have about the SEC’s new cybersecurity rules.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.
