The Securities and Exchange Commission (SEC) adopted new rules in late July 2023 that will require publicly traded companies to disclose information to assist investors in understanding the processes companies use to manage their cybersecurity risks and to report cybersecurity incidents that they determine to be material.
In particular, public companies will be required to disclose material cybersecurity incidents within four days of determining that the incident is material on a current report on Form 8-K. Public companies will also need to disclose information regarding their cybersecurity risk management, strategy, and governance in each annual report on Form 10-K. This article does not address the application of the new rules to foreign private issuers.
The new rules will apply to Form 8-K reports filed on or after December 18, 2023. Smaller reporting companies will have until June 15, 2024—an additional 180 days—before the new Form 8-K disclosure requirements apply.
Disclosures regarding cybersecurity risk management, strategy, and governance will be required in annual reports beginning with fiscal years ending on or after December 15, 2023. For calendar year issuers, this means the disclosure must be included in the Form 10-K for the year ending on December 31, 2023.
All registrants must tag the new disclosures in Inline eXtensible Business Reporting Language (Inline XBRL) beginning one year after initial compliance with the related disclosure requirements.
Disclosure of Material Cybersecurity Incidents
The new rules will require disclosure of material cybersecurity incidents pursuant to Item 1.05 of Form 8-K.
- The report must be filed within four business days after the company determines that it has experienced a material cybersecurity incident. Filing may be delayed by a company if the United States Attorney General determines that immediate disclosure of the incident would pose a substantial risk to national security or public safety it faces conflicting disclosure timelines imposed by the Federal Communications Commission. Late filing of an Item 1.05 Form 8-K will not result in the loss of eligibility to use a Form S-3 registration statement.
- Disclosure will be required regarding any cybersecurity incident the company determines to be material, including the material aspects of the nature, scope, and timing of the incident and the material impact or reasonably likely material impact of the incident on the company, including its business strategy, financial condition, or results of operations. Materiality should be determined “without unreasonable delay.” A series of related incidents may result in a finding of materiality, which should be assessed in the same manner as other determinations of materiality of information to investors.
- Disclosure of specific or technical information about the company’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential vulnerabilities in such detail as would impede its response or remediation of the incident is not required.
Annual Reporting of Cybersecurity Risk Management, Strategy and Governance
Disclosure of information regarding a public company’s risk management, business strategy, and governance processes regarding cybersecurity threats will be required in the company’s annual report on Form 10-K. The requirements, which are set forth in Item 106 of Regulation S-K, include information regarding:
- The company’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as associated risks to the company from cybersecurity threats in sufficient detail for a reasonable investor to understand.
- Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and, if so, how.
- The board of directors’ oversight of risks from cybersecurity threats.
- Management’s role in assessing and managing material risks from cybersecurity threats, including, as applicable, the following non-exclusive list of items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, including the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed of and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a board committee or subcommittee.
Next Steps
Companies should:
- Review and update their cybersecurity policies and procedures in light of the new disclosure requirements.
- Review existing disclosure control procedures to be prepared for the new Form 8-K requirements to establish a process by which cybersecurity incident materiality analyses can be performed without delay to permit disclosure in a timely manner.
Editor's Note: Lisa Lee, a 2023 Miller Nash summer associate, contributed to this blog post.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
