The new SEC cybersecurity rules (Release No. 33-11216), codify and build on earlier SEC guidance on cybersecurity risks and incidents and require specific cybersecurity-related disclosures.
The new requirements include:
- Disclosures within 4 business days of material cybersecurity incidents on Form 8-K beginning December 18, 2023
- Standardized annual disclosures of cybersecurity policies and procedures and updates of prior cybersecurity incident disclosures
Key Requirements
1. Public Disclosure of Cybersecurity Incidents: Beginning on December 18, 2023 (June 15, 2024 for smaller reporting companies), companies are required to disclose material cybersecurity incidents within 4 business days (as a new Item 1.05 of Form 8-K). This disclosure is triggered by a company’s determination that the incident is material to investors. Companies are required to make that determination as soon as reasonably practicable after the incident.
Once a cybersecurity incident is determined to be material, companies must disclose:
- When the incident was discovered and if it is still ongoing
- A brief description of the nature and scope of the incident
- Whether data was stolen, altered, accessed, or used for an unauthorized purpose
- The effect on the company’s operations
- Whether the incident has been remediated or is in the process of being remediated
Companies may omit information not known at the time of filing and may omit information of a technical nature that could impede the company’s response or remediation. Companies may not, however, delay disclosure to mitigate harm to internal investigations or to facilitate external cooperation with law enforcement.
After disclosing a material cybersecurity incident, companies must provide periodic updates on that incident on Forms 10-K and 10-Q. These subsequent disclosures must include any series of immaterial cybersecurity incidents that have become material in the aggregate.
2. Public Disclosure of Company Policies and Governance: Beginning with annual reports for fiscal years ending on or after December 15, 2023, companies now must disclose on their Form 10-K:
- Policies and procedures for identifying and managing cybersecurity risks
- Cybersecurity governance and board of directors’ oversight role, including the frequency of board consideration and expert discussions
- Management’s role and relevant expertise in assessing cybersecurity risks, and implementing related policies, procedures, and strategies
- Whether a chief information security officer has been appointed and his or her relevant expertise
3. Foreign Private Issuers: The substance of the foregoing disclosure requirements also applies to foreign private issuers.
Changes to SEC’s 2018 Guidance
The new rules codify much of the previous 2018 guidance, which most public companies are already following. For example, the 2018 guidance encouraged companies to develop cybersecurity risk management policies and procedures to enable disclosures and to disclose board cybersecurity risk oversight. The new rules take this guidance and strengthens it into required disclosures.
The new rules increase the burden of cybersecurity incident disclosures. In the 2018 guidance, the SEC expected companies to discuss cybersecurity incidents or risks if they would materially affect the company. The new rules create a fixed 4 business day deadline that requires a substantial amount of information to be included in disclosures of any material cybersecurity incident.
Takeaways
To be compliant with these new rules, companies should be prepared to address the following:
- Controls and procedures for reporting cybersecurity incidents, including a process for making a materiality determination as soon as reasonably practicable after a cybersecurity incident
- Controls and procedures for producing updates on previously reported cybersecurity incidents
- Identifying a chief information security officer and determining how that officer will fit into the company’s organizational chart
- Updating annual and quarterly report checklists to include new Forms 10-K and 10-Q disclosure requirements
- Involvement of the board and disclosure committees in evaluating cybersecurity disclosures
- Cybersecurity vendors’ current practices and their alignment with new disclosure requirements and timelines
If you have any questions about these or related topics, please reach out to your Locke Lord contact or any of the authors.