The SEC provided the following table in its Final Rule to briefly summarize the requirements for public companies that experience cybersecurity incidents:[2]
Item | Description of the Disclosure Requirement |
---|---|
Regulation S-K Item 106(b) – Risk management and strategy | Registered companies must describe the processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. |
Regulation S-K Item 106(c) – Governance | Registered companies must:
|
Form 8-K Item 1.05 – Material Cybersecurity Incidents | Registered companies must disclose any cybersecurity incident they experience that is determined to be material and describe the material aspects of its: (1) nature, scope, and timing; and (2) impact or reasonably likely impact.
Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety. Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. |
Form 20-F | Foreign Private Issuers (“FPIs”) must:
|
Form 6-K | FPIs must provide information on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or security holders. |
Preparation for the New Rule
Beginning in December of 2023, public companies will be required to make appropriate disclosures in their annual filings and provide disclosures when a material cybersecurity incident occurs. Public companies should begin preparing for the new disclosure requirements immediately, and should consider evaluating and revising the following policies and procedures regarding cybersecurity attacks:
- Revise Cybersecurity Internal Policies: companies should review and evaluate their internal cybersecurity policies to ensure that the policies comply with current legal requirements, outline how the company responds to cybersecurity risks, incidents, and material incidents, and ensure the internal reporting processes comply with the new disclosure requirements in Form 8-K.
- Evaluate Cybersecurity Systems: companies should also assess their current cybersecurity systems to ensure the systems are adequate to prevent cybersecurity threats, mitigate cybersecurity incidents when they occur, and allow the company to adapt quickly and efficiently to a cybersecurity threat or incident.
- Create an Information Management Team: companies should consider creating an information management team that assesses cybersecurity threats, responds to those threats, and provides information to the company’s management and board of directors.
- Training and Education: companies should also consider ongoing training and education for employees and management given the constantly evolving cybersecurity threats that may occur within the company. Companies should stay abreast of cybersecurity incidents and provide training to employees and management regarding cybersecurity threats.
- Review Agreements with Third-Party Vendors: companies should also review their agreements with third-party vendors to ensure that vendors are also complying with the incident reporting and disclosure requirements under the new rule. Unfortunately, in many instances, cybersecurity incidents occur because of issues arising from third-party vendors to the company, and companies should begin reviewing and evaluating those third-party agreements to ensure that their vendors are also promptly reporting cybersecurity incidents when they occur.
[1] See SEC Press Release, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, June 26, 2013, available at: https://www.sec.gov/news/press-release/2023-139.
[2] See Securities and Exchange Commission, Final Rule, 17 CFR Parts 229, 232, 239, 240, and 240 [Release Nos. 33-11216; 34-97989], at 12-13, available at: https://www.sec.gov/files/rules/final/2023/33-11216.pdf.