Key Takeaways:
- On July 26, 2023, the Securities and Exchange Commission (SEC) adopted rules requiring disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk management, strategy, and governance.
- Public companies will be required to disclose "any cybersecurity incident they determine to be material" under new Item 1.05 of Form 8-K.
- Public companies will need to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and disclose whether any previous cybersecurity incidents have materially affected (or are likely to materially affect) the company under new Item 106 of Regulation S-K.
- Foreign Private Issuers (FPIs) will need to provide information on material cybersecurity incidents that have been disclosed or publicized in a foreign jurisdiction to any stock exchange or security holder on Form 6-K.
On July 26, 2023, the Securities and Exchange Commission (SEC) adopted rules requiring disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk, management, strategy, and governance in annual reports for public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
Requirements under the final rules include the following:
- Public Companies
- Form 8-K. New Item 1.05 has been added to Form
8-K that will require public companies to disclose any material
cybersecurity incident. Importantly, once a cybersecurity event has
been discovered, public companies must determine as soon as
reasonably practical whether such incident is material, and, if the
incident is material, must file an Item 1.05 Form 8-K disclosure
within four business days after the materiality
determination.
The SEC has noted that, in assessing whether a cybersecurity incident is material, public companies should apply the materiality standard set out in securities lawcases addressing materiality (including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano) and prior SEC guidance on materiality (including the definitions set forth in "Securities Act Rule 405" and "Exchange Act Rule 12b-2") – notably, that information is material "if there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available." If a public company determines that an incident is material, it must describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact (or reasonably likely impact) of the incident on the company. - Regulation S-K. New Item 106 under Regulation S-K, will require public companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and disclose whether any previous cybersecurity incidents have materially affected (or are likely to materially affect) the company. Further, public companies will need to describe the board of directors' oversight of risks from cybersecurity threats as well as management's role and expertise in assessing and managing such risks.
- Form 8-K. New Item 1.05 has been added to Form
8-K that will require public companies to disclose any material
cybersecurity incident. Importantly, once a cybersecurity event has
been discovered, public companies must determine as soon as
reasonably practical whether such incident is material, and, if the
incident is material, must file an Item 1.05 Form 8-K disclosure
within four business days after the materiality
determination.
- Foreign Private Issuers
- Form 6-K. Foreign Private Issuers (FPIs) will need to furnish on Form 6 K information on material cybersecurity incidents that have been disclosed or publicized in a foreign jurisdiction to any stock exchange or security holders. Relatedly, Form 20-F will be amended to include periodic disclosure requirements similar to those included in the updates to Regulation S-K.
The SEC's July 26,2023 announcement provides the following timelines:
- Effective Date. The new rules will go into effect thirty (30) days following the date of publication in the Federal Register.
- Periodic Disclosure Requirements. Disclosures under Regulation S-K Item 106 and Form 20-F will be required in annual reports for fiscal years ending on or after December 15, 2023.
- Cybersecurity Incident Disclosure. Public companies (other than smaller reporting companies) will need to begin complying with the new incident disclosure requirements under Item 1.05 of Form 8-K on the later of (1) ninety (90) days following the date of publication in the Federal Register or (2) December 18, 2023. For smaller reporting companies, these deadlines are extended to the later of (1) two hundred and seventy (270) days following the date of publication in the Federal Register or (2) June 15, 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
