On July 26, 2023, the U.S. Securities and Exchange Commission (SEC), by a vote of 3-2, adopted rules (the Final Rules) intended to enhance and standardize certain cybersecurity disclosures. The new rules would impose significant new disclosure requirements for U.S. public companies and foreign private issuers (FPI).
The key requirements of the Final Rules adopted by the SEC include the following for U.S. public companies:
- Disclosure of material cybersecurity incidents within four days of identifying that the incident was material on Item 1.05 of Form 8-K;
- Disclosure of material cybersecurity risk management processes, strategy, and governance on an annual basis on Form 10-K; and
- Disclosure of management’s role in assessing and managing material risks from cybersecurity threats as well as the board’s oversight of risks from cybersecurity threats.
For FPIs, required disclosures include material cybersecurity incidents on Form 6-K and cybersecurity risk management processes, strategy, and governance on Form 20-F.
Between March 10, 2022 and June 29, 2023, the SEC received over 150 comment letters in response to the proposed rules. Many commenters were concerned that detailed incident disclosure could invite further targeted attacks and provide a roadmap for future attacks, and that a quick disclosure timeframe may make it more difficult to neutralize threats. Although key components of the proposed rules remain in the Final Rules, the SEC made some modifications to address certain comments, including:
- The Final Rules require the disclosure of incidents within four days upon the issuer’s determination of the cyber incident’s materiality rather than upon its identification.
- To address a key concern from commenters, the SEC added a provision that allows a firm up to a 30-day delay in disclosing a cybersecurity incident if the U.S. Attorney General (AG) notifies the SEC in writing of a determination that the disclosure would pose substantial risk to national security or public safety. The delay may be extended to an additional period of up to 30 days upon further determination by the AG. In extraordinary circumstances, the disclosure may be delayed a final time for up to 60 days upon determination from the AG.
- Notably, the Final Rules removed a contemplated requirement of the proposed rules to detail and disclose the cybersecurity expertise of board members.
The Final Rules will become effective September 5, 2023. The Form 10-K and Form 20-F disclosures will be required beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures are due beginning December 18, 2023. Smaller reporting firms must comply with the Final Rules beginning on June 15, 2024.
Patomak Insight – Impact of the Rules
Compliance with the Final Rules will pose risks for all U.S. public companies and FPIs. These risks are exacerbated by the impracticality of the delay provision and the complexity of the national and state cybersecurity disclosure requirement environment.
Item 1.05 of Form 8-K requires public companies to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant.” The public disclosure of this information exposes firms to various heighted risks such as operational, reputational, enforcement, and litigation risk. Further, firms should be prepared for potential scrutiny by the SEC and private litigants of the reasonableness of their materiality judgments triggering the four day incident reporting requirement.
Firms can effectively manage these heightened risks by maintaining and implementing a strong, credible governance framework as well as processes and controls to properly document the cybersecurity incident reporting process. Elements that should be documented include: 1) how incidents are reported, including consideration of pertinent third parties; 2) how materiality determinations are made; 3) justification for the time taken to determine that an incident was material; and 4) if applicable, justification for why an incident was reported after the four-day window. Firms should expect that their disclosures may be questioned and, therefore, documentation to support decisions and steps taken is necessary.
Practicality of Attorney General Incident Disclosure Delays
As noted above, the Final Rules include a provision that allows a firm to delay the filing of a cybersecurity incident if the AG determines immediate disclosure would pose a substantial risk to national security or public safety. Disclosures may be delayed for a time period determined by the AG, up to 30 days following the date when the disclosure was otherwise required, with opportunity for additional extensions from the AG and exemptive orders from the SEC.
Patomak notes that the details regarding the usage of this delay provision are vague. Specifically, the rules do not describe or state whether there are currently established AG protocols for making such determinations that have been agreed to between the SEC and other regulators. Moreover, it is unclear if firms should involve the AG early in the review process prior to determining if an incident is material, or if firms should wait until after the materiality determination is made. As a result, firms may err on the side of caution and prematurely involve the AG for cybersecurity incidents that result in an immaterial determination. How this delay provision will work in practice and whether further information about the AG determination process is disclosed remains to be seen.
Varying Federal and State Cybersecurity Disclosure Requirements
As highlighted by comments regarding the proposed rules, disclosure requirements related to Item 1.05 appear to conflict with other federal and state cybersecurity reporting requirements or other regulatory regimes. For example, in accordance with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Congress directed the Cybersecurity & Infrastructure Security Agency (CISA) to develop incident notification regulations for the industry. Once these rules are adopted by CISA, firms in defined critical infrastructure sectors will be required to report covered cyber incidents to CISA within 72 hours of discovery and report ransom payments within 24 hours. Reports made to CISA pursuant to CIRCIA will remain confidential, whereas incident disclosures to the SEC are public.
U.S. public companies and FPIs currently are and may continue to be subject to other cybersecurity incident disclosure requirements developed by various industry regulators. These may include requirements from the Federal Communications Commission, the Federal Trade Commission, and rules of foreign regulators. Additionally, some states have implemented cybersecurity reporting requirements with varying requirements and timeframes for disclosure. As a result of this complex environment, firms must fully understand their universe of disclosure requirements and how these requirements work together, overlap, and in some cases, potentially conflict. To address these challenges, firms will need to understand the entire cybersecurity rule landscape across agencies and jurisdictions to comply with cybersecurity rules.
Put Patomak’s Expertise to Work
In light of these heightened risks, rule practicality uncertainties, and the myriad of other cybersecurity incident disclosure regulatory requirements, it is necessary for firms impacted by the Final Rules to review and assess their current cybersecurity programs to ensure such programs stay up to date and compliant. Our team has deep experience in helping public firms, broker-dealers, investment advisers, investment firms, swap dealers, banks, and other financial institutions identify, manage, and mitigate risks related to cybersecurity, including reviewing and assessing cybersecurity programs, associated disclosures, and governance frameworks and updating policies and procedures. If you would like to learn more about how Patomak can partner with you, please reach out to Laura Magyar, Managing Director, at firstname.lastname@example.org, or Hemal Patwa, Manager, at email@example.com.