A Deep Dive Into SEC's New Cybersecurity Disclosure Rules

As companies face the onslaught of increasingly sophisticated cyber attacks that have intensified with the rise of the post-pandemic remote workforce, heavy reliance on technology and third-party vendors, and the disruptive geopolitical landscape, they are now required to publicly report cybersecurity incidents within four business days under the SEC’s new cybersecurity disclosure rule. Failure to do so may expose companies to liability, regulatory enforcement actions and class action litigation.

In March 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules mandating that public companies disclose cybersecurity risk management, governance and material cybersecurity incidents. The final rules went into effect September 5, 2023. As of December 18, 2023, companies must disclose material cybersecurity incidents in Form 8-K Item 1.05 within four (4) days (Cybersecurity Incident Disclosure Rule). In addition, companies must provide cybersecurity risk management disclosures in Regulation S-K Item 106 beginning with annual reports for fiscal years ending on or after December 15, 2023 (Cybersecurity Risk Management Disclosure Rule).

The SEC’s cybersecurity disclosure rules apply to all public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. However, smaller reporting companies have an additional grace period to comply with the Cybersecurity Incident Disclosure Rule by June 15, 2024. The SEC rules also apply to foreign private issuers (FPIs), which must report material cybersecurity incidents on Form 6-K, in addition to periodic reporting on cybersecurity risk management on Form 20-F.

Cybersecurity Incident Disclosure Rule

The SEC’s new Form 8-K Item 1.05 will require domestic companies to disclose any “cybersecurity incident” they determine to be “material” within four (4) business days of such determination of materiality.

The SEC’s final definition of the term “cybersecurity incident” means:

"[A]n unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information system or any information residing therein."

The disclosure of a cybersecurity incident should include the nature, scope and timing of the incident and any material impact that the incident has (or is likely to have) on the company’s business, operations or financial condition.

What Is a “Material” Cybersecurity Incident?

The SEC’s new rules do not define expressly “materiality” for purposes of reporting a cybersecurity incident. Instead, the SEC has stated that the materiality standard is consistent with the same standard set forth in numerous cases addressing materiality under the federal securities laws. See e.g., TSC Industries, Inc. v. Northway, Inc., 425 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011). In other words, information is material and must be disclosed to investors if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision.

As noted by the SEC, Form 8-K Item 1.05 focuses on the impact a cybersecurity incident may have on the company’s “financial condition and results of operations.” However, this is not an exclusive test for materiality but may include other factors such as reputational harm, competitiveness, and the possibility of litigation or regulatory actions. As noted by the SEC, materiality is a fact-specific inquiry based on the company and unique circumstances of the underlying incident.

Third-Party Breaches

'The SEC incident disclosure rule does not exempt companies from disclosing third-party cybersecurity incidents that may have a material impact on the company. As noted by the SEC, “whether an incident is material is not contingent on where the relevant electronic systems reside or who owns them.” While the SEC acknowledges that a company may have reduced visibility into third-party systems, the company should make the disclosure based on available information.

Timing of Incident Disclosure

Importantly, the four-day reporting deadline of a cybersecurity incident under the SEC’s rule is triggered when the company first determines that the incident may have a “material” impact on the organization – not within four days of discovery of the incident. In fact, the SEC acknowledges that it is unlikely a company will be able to determine materiality on the same date that the incident is discovered. However, at that time, the company should begin the process of gathering information for its “materiality analysis.” The SEC declined to extend the four-day deadline, noting that Form 8-K already requires current reporting of events that may be viewed as material to investors. Of course, once a disclosure is made, it should be updated as needed based on new information.

Delay Provision for Incident Disclosure

The SEC’s incident disclosure rule contains a narrow “delay provision” that enables the company to delay reporting a cybersecurity incident where such disclosure would pose a “substantial risk to national security or public safety.” However, this determination must be made in writing by the Attorney General and reported to the SEC. The initial delay period is 30 days from the date the disclosure of the cybersecurity incident was otherwise required. The delay may be extended for an additional 30 days if the Attorney General determines that disclosure would continue to pose a substantial threat to national security or public safety and, again, notifies the SEC in writing. In “extraordinary circumstances,” disclosure of an incident may be delayed for an additional 60 days (total 120 days) if the Attorney General determines that disclosure would pose critical national security concerns. Beyond 120 days, any further extensions for delaying disclosure of a cybersecurity incident requires an exemptive order issued by the SEC.

DOJ Guidelines for Delay

On Dec. 12, 2023, the U.S. Department of Justice (DOJ) issued guidelines to outline the process for companies to seek an incident disclosure delay determination by the Attorney General. In doing so, the DOJ emphasized that the “primary inquiry for the Department is whether the public disclosure of a cybersecurity incident threatens public safety or national security, not whether the incident itself poses a substantial risk to public safety or national security.” The DOJ provided examples of when the disclosure of an incident could pose such a risk:

• New cyber threats for which there are no well-known mitigation tools (such as a zero-day attack exploiting an unknown software vulnerability for which there is no available patch).
• The incident impacts a system that contains sensitive U.S. government information.
• The company is in the process of conducting remediation efforts for a critical infrastructure system and disclosure would undermine these efforts.
• A government agency has made the company aware of a cybersecurity incident that the government believes could pose a substantial risk to national security or public safety if disclosed.

• Name of the company.
• Date the cybersecurity incident occurred.
• Date the company determined that a material cybersecurity incident occurred that must be disclosed under the SEC rules.
• Whether the company has already been in touch with the FBI or other law enforcement regarding the incident.
• Description of the incident (including type of incident, intrusion vector, systems or data impacted, operational impact on the organization).
• Attribution of the cybersecurity incident to specific threat actor(s).
• Status of remediation efforts.
• Location of incident.
• Company’s point of contact(s).
• Whether this is the initial delay request.

In addition to reporting material cybersecurity incidents, companies also are required to make annual disclosures about their cybersecurity risk management, including their processes for assessing, identifying and managing material risks from cyber threats pursuant to new SEC Regulation S-K Item 106. 

Cybersecurity Risk Management “Processes”

The SEC observed that it substituted the term “processes” for “policies and procedures” to “avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.” Notwithstanding, the disclosures should provide sufficient detail for investors to determine whether the company has implemented a cybersecurity risk assessment program.

In particular, a company should address the following cybersecurity processes in its Item 106(b) disclosure:

• Whether and how the company’s cybersecurity processes have been integrated into its overall risk management systems.
• Whether the company engages assessors, consultants, auditors or other third parties in connection with its cybersecurity processes (Companies are not required to disclose the names of such third parties or a description of the services provided. In addition, companies are not required to disclose independent cybersecurity assessments or audits, or use of NIST or another particular framework).
• Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
• Whether any risks from cybersecurity threats (including any previous cybersecurity incidents) have materially affected or are reasonably likely to materially affect the company.

In addition, a company must disclose management and board oversight of a company’s cybersecurity risk, including:

• Description of the board’s oversight of risks from cybersecurity threats.
• Identify any board committee or subcommittee responsible for such oversight.
• Description of the processes by which the board or such committee is informed about such risks.

In adopting its final rules, the SEC declined to require companies to disclose whether they had a dedicated chief information security officer (CISO) or the frequency of management and board discussions on cybersecurity. Moreover, the SEC decided not to require disclosure of board members’ cybersecurity expertise. 

Assessing Material Cyber Risks

In discussing management’s role in evaluating and managing material risks from cyber threats, a company should address the following issues:

• Whether and which management positions or committees are responsible for assessing and managing such risks.
• Relevant expertise of such persons or members of committees.
• Processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
• Whether such persons or committees report information about such risks to the board or a committee or subcommittee of the board.

The SEC will no doubt closely scrutinize corporate disclosures under the new cybersecurity rules to ensure broad compliance. Meanwhile, companies should evaluate their current cybersecurity controls, risk management, corporate governance and incident response plans. In addition, companies should consider carefully what specific information they intend to disclose in their public SEC filings with respect to current cyber risk controls in place and any potential future cyber-attacks.

In evaluating and addressing the SEC’s new cybersecurity rules, some key issues companies should consider:

• Does the company have a process for identifying, evaluating and addressing cyber threats? 
• Does the company have a written Information Security Program?
• Does the company have an Incident Response Plan?
• Does the company have an emergency Disaster Recovery backup plan?
• Does the company have cybersecurity expertise on the management team or board?
• Does the company engage third-party vendors that provide cybersecurity support?
• Does the company conduct periodic security risk assessments?
• Has the company had any previous cybersecurity incidents?
• Does the company conduct cybersecurity due diligence on key vendors and service providers?
• How will the company determine what constitutes a “material” cybersecurity incident? 
• Who will be responsible for the timely reporting of a material cybersecurity incident?
• Does the company have cyber, business interruption and D&O insurance?