The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cyber risk management, strategy, governance, and incidents. These rules build upon previous interpretive guidance issued by the SEC.
Under the new rules, registrants will be obligated to disclose any cybersecurity incident that they determine to be material in the recently introduced Item 1.05 of Form 8-K (due within four business days of such determination). This disclosure must encompass the essential aspects of the incident, including its nature, scope, timing, and the material impact or reasonably likely material impact it may have on the registrant, including its financial condition and results of operations. However, these new rules do not require companies to disclose information about the incident’s remediation status, ongoing status, or whether data was compromised. The SEC has acknowledged the sensitive nature of cybersecurity incidents and the potential risks of disclosing information that could further harm the company or its stakeholders.
Materiality serves as the guiding principle in determining what information should be disclosed regarding cybersecurity incidents. The SEC affirmed that the materiality standard that registrants should apply in evaluating whether a Form 8-K would be triggered under Item 1.05 would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including TSC Industries, Inc. v. Northway, Inc., [1] Basic, Inc. v. Levinson, [2] and Matrixx Initiatives, Inc. v. Siracusano, [3] and likewise with that set forth in 17 CFR 230.405 and 17 CFR 240.12b-2. Meaning, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important”[4] in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”[5] “Doubts as to the critical nature” of the relevant information should be “resolved in favor of those the statute is designed to protect,” namely investors.[6] For example, reputational harm, customer or vendor relationships, and competitiveness could be considered material impacts, along with the possibility of litigation or regulatory investigations.
The new rules also incorporate Regulation S-K Item 106, which mandates disclosures on Form 10-K annual reports, which must disclose the material effects or reasonably likely material effects of cybersecurity threats and any past cybersecurity incidents. Notably, the disclosure should also shed light on the board of directors’ oversight concerning risks associated with cybersecurity threats and the board’s and management’s roles and expertise in assessing and handling material cybersecurity risks.
Key dates: The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
Key Takeaways:
- By providing investors with more comprehensive and standardized information on cybersecurity risk management, strategy, governance, and incidents, the SEC aims to improve transparency and ensure that investors are well-informed about the potential risks and impacts faced by companies in the digital age.
- Given the new four business day timeline, public companies should ensure that their internal controls and procedures, including incident response plans, adequately provide for identification and escalation of cybersecurity within the required timeline in order to make a meaningful and accurate determination of the materiality of the incident and to effect the required disclosure obligations. While the rule exempts public companies from the four-day reporting requirement if disclosure would pose a substantial risk to national security or public safety, that exemption requires a determination be made by the U.S. Attorney General, which in many if not most cases will likely not be practical.
- Given the new disclosure requirements, public companies will need to carefully determine how to describe accurately and meaningfully their risk assessment strategy and security programs without giving “bad actors” a blueprint for attacking their systems. Public companies will also need to continue to assess judiciously the cyber security expertise of their board members and senior management, and bolster themselves where necessary.
- While the rule passed on a partisan 3-2 vote, this is likely just the beginning of increased, intense scrutiny of the interplay between cybersecurity and disclosure requirements to investors.
[1] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).
[2] Basic Inc. v. Levinson, 485 U.S. 224, 232 (1988).
[3] Matrixx Initiatives v. Siracusano, 563 U.S. 27 (2011).
[4] TSC Indus., 426 U.S. at 449.
[5] Id.
[6] Id. at 448.