On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it adopted final rules requiring disclosure by public companies of material cybersecurity incidents in a Current Report on Form 8-K, and of material information regarding their cybersecurity risk management, strategy, and governance in an Annual Report on Form 10-K. Foreign private issuers will be required to make comparable disclosures on Forms 6-K and 20-F. Set forth below is a brief summary of the final rules; a more detailed client alert will follow.
Form 8-K: Incident Reporting. Consistent with the proposed rules, the final rules add new Item 1.05 to Form 8-K, which will require reporting of material cybersecurity incidents within four business days of the company determining the incident is material. In addition to narrowing the scope of disclosure in Item 1.05, the final rules include several differences from the proposed rules, such as:
- Limited Delay in Reporting. The final rules allow for a delay in reporting if the U.S. Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the SEC of this determination in writing. The delay in reporting is limited to the time periods specified by the U.S. Attorney General, and generally could not go beyond 120 days absent the SEC granting relief through an exemptive order.
- Updated Incident Disclosures in Form 8-K. If information required to be disclosed in the Item 1.05 Form 8-K is not yet determined or is unavailable at the time of filing, the company will be required to include a statement to that effect in the Form 8-K and file an amendment to its Form 8-K within four business days after such information is determined or becomes available (material updates will not be required in subsequent periodic filings as originally proposed).
- Aggregation of Incidents. While the final rules omit the requirement to disclose in periodic reports individually immaterial cybersecurity incidents that become material when considered in the aggregate, the definition of “cybersecurity incident” in the final rules for purposes of Item 1.05 disclosure includes “a series of related unauthorized occurrences.”
Form 10-K: Cybersecurity Risk Management, Strategy, and Governance; Board Expertise. Consistent with the proposed rules, the final rules add new Item 106 of Regulation S-K, which will require annual reporting of certain company cybersecurity matters, including cybersecurity risk management and strategy, and cybersecurity governance including the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. In addition to narrowing the scope of disclosure in Item 106, a notable departure from the proposed rules is that the final rules will not require disclosure of the cybersecurity expertise of board members.
Structured Data. The final rules require that the disclosures be reported in Inline XBRL format.
Effective Date and Compliance Timing. The final rules will become effective 30 days following publication in the Federal Register. With respect to Item 1.05 of Form 8-K, companies (other than smaller reporting companies) will be required to comply 90 days following the publication of the adopting release in the Federal Register or December 18, 2023, whichever is later; smaller reporting companies will be required to comply 270 days following the publication of the adopting release in the Federal Register or June 15, 2024, whichever is later. With respect to Item 106 of Regulation S-K, all companies will be required to comply beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to the structured data requirements, all companies will be required to comply beginning one year after the initial compliance date for any issuer for the related disclosure requirement.
For more information on the final rules, please see the SEC Fact Sheet, available here.