The topic of cybersecurity disclosure has been on the Securities and Exchange Commission (SEC)’s radar since at least 2018, when it released preliminary cybersecurity disclosure guidance. The SEC took another step forward when it first proposed new cybersecurity rules for public companies on March 9, 2022. On July 26, 2023, the SEC finally adopted its new, highly anticipated cybersecurity disclosure rules for public companies. The rules alter the disclosure requirements related to Form 8-Ks, periodic reports and similar filings for foreign private issuers.
Changes to Form 8-K
The final rules add a new item, Item 1.05, to Form 8-K that will require public companies (aka “registrants”) to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The inclusion of “financial condition and results of operations” is not exclusive, meaning companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. For example, a company should consider whether factors such as reputational harm, loss of public confidence, damage to customer or vendor relationships, loss of competitive opportunities, costs associated with locating a vulnerability in the company’s system and rectifying such vulnerability, or increased risk of litigation and/or regulatory investigations, may have a material impact on the company.
The SEC’s definition of “cybersecurity incident” is also broad and extends to “a series of related unauthorized occurrences… that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein,” meaning companies must be mindful of not only whether a single cyberattack is material, but whether any related cyberattacks taken collectively over time may be considered material.
The SEC is also adding an Instruction 4 to Item 1.05 to provide that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” This instruction was added to mitigate commenter concerns that disclosing too much information about a company’s cybersecurity procedures may leave it vulnerable to malicious actors.
The SEC is not exempting registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor is the SEC providing a safe harbor for information disclosed about third-party systems. Depending on the circumstances of an incident that occurs on a third-party system, disclosure may be required by both the service provider and the customer, or by one but not the other, or by neither. The SEC says it appreciates that companies may have reduced visibility into third-party systems, and clarifies that registrants should disclose based on the information available to them. The final rules generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to their respective contracts and in accordance with registrants’ disclosure controls and procedures.
The deadline to report a material cybersecurity incident on Form 8-K is 4 business days from the time the registrant determines that the incident has had, or is reasonable likely to have, a material impact on the registrant. It’s important to note that the SEC expects a company’s management to make its determination as to the materiality of the incident before requiring disclosure, and the SEC says it recognizes that this means it may be common for over a week to pass from the time of the incident occurring to the time an Item 1.05 Form 8-K is required to be filed.
A company may delay filing an Item 1.05 on Form 8-K if the Attorney General determines that a delay is in the interest of national security or public safety and notifies the SEC of such determination in writing. Initially, disclosure may be delayed for a time period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided. The delay may be extended if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The Department of Justice will notify the affected company that communication to the SEC has been made, so that the company may delay filing its Form 8-K.
The SEC is adding Item 1.05 to the list of Form 8-K items in General Instruction I.A.3.(b) of Form S-3, so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. Furthermore, the SEC adopted amendments to Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act (regarding insider trading). For more information about Section 10(b) or Rule 10b-5 of the Exchange Act, and the SEC’s recent amendments to Rule 10b5-1, see our blog entry on the topic HERE.
Registrants will also need to amend their Item 1.05 Form 8-K to identify any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the original filing within 4 business days of such information being determined or made available. Details not required by Item 105(a), such as remediation status, are not required in any amendment.
It is important to note that the final rules require an Item 1.05 Form 8-K to be filed rather than furnished. For more information about the distinction between filed vs furnished and its importance, see our blog entry on the topic HERE.
Changes to Periodic Reports (Forms 10-Q and 10-K)
The final rules made amendments to Regulation S-K, adding a new section, 17 CFR 229.106 (Regulation S-K “Item 106”). Item 106(b) requires a description of “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” The description must be provided in the registrant’s periodic reports.
The enumerated elements that a company should address in its Item 106(b) disclosure, as applicable, are:
- Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the company’s overall risk management system or processes;
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
The above elements compose a non-exclusive list of disclosures, and companies should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes. While not codified in the final rules, the SEC encourages companies to consider risks such as intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk, in determining what cybersecurity threats to report in their periodic reports.
The SEC also added Item 106(c) to require companies to describe the board of directors’ oversight of risks from cybersecurity threats and, if applicable, identify any board committee or subcommittee responsible for such oversight, and describe the processes by which the board or such committee is informed about such risks. Companies must further describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. The final rules direct companies to consider disclosing the following as part of the description of management’s role in assessing and managing the companies’ material risks from cybersecurity threats:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Foreign Private Issuers
For foreign private issuers, the final rules made amendments to Form 20-F and Form 6-K consistent with the amendments to Item 106 of Regulation S-K and Item 1.05 of Form 8-K, respectively.
Inline XBRL Requirements
The final rules mandate that registrants tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. Inline XBRL tagging will enable automated extraction and analysis of the information required by the final rules, allowing investors and other market participants to more efficiently identify responsive disclosure, as well as perform large-scale analysis and comparison of this information across registrants. However, the SEC is delaying compliance with the structured data requirements for 1 year beyond initial compliance with the disclosure requirements.
Compliance Dates
The final rules are effective as of September 5, 2023. With respect to Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all registrants other than smaller reporting companies must begin complying on December 18, 2023. Smaller reporting companies are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8-K, on June 15, 2024.
With respect to compliance with the structured data requirements, as noted above, all registrants must tag disclosures required under the final rules in Inline XBRL beginning 1 year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
- For Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024; and
- For Item 1.05 of Form 8-K and Form 6-K all registrants must begin tagging responsive disclosure in Inline XBRL beginning on December 18, 2024.
Disclaimer
Austin Legal Group, APC (ALG) does not make any representations or warranties, expressed or implied, as to the accuracy, completeness or fitness for a particular purpose of this or any article. This article is meant for general informational purposes only and should not be construed as, and does not constitute, legal advice. No one should take any action regarding the information in this article without first seeking the advice of an attorney. This article does not create an attorney-client relationship. No attorney-client relationship will exist with ALG or any attorney affiliated with it unless a written contract is signed by all parties and any conditions in such contract are satisfied. Please reach out to Gina M. Austin, Esq. at (619) 924-9600 for more information.
