New SEC Rules Require Public Companies to Disclose Cybersecurity Incidents

Technology & Software

by | Aug 7, 2023

On June 26, 2023, the SEC announced new rules requiring public companies to promptly report cybersecurity incidents beginning later this year.[1] The new rules were originally proposed in 2022, and appear to have been impacted or delayed by an increased number of high-profile cybersecurity attacks, comments and letters from companies and counsel expressing their position on the proposed rule, and two recently enacted federal laws: (1) the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) which requires companies in “critical infrastructure sectors” to report cybersecurity incidents and ransom payments; and (2) the Quantum Computing Cybersecurity Preparedness Act, which directed the federal government to adopt technology to protect against decryption.

The SEC provided the following table in its Final Rule to briefly summarize the requirements for public companies that experience cybersecurity incidents:[2]

Item Description of the Disclosure Requirement
Regulation S-K Item 106(b)Risk management and strategy Registered companies must describe the processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
Regulation S-K Item 106(c)Governance Registered companies must:

  • Describe the board of director’s oversight of risks from cybersecurity threats.
  • Describe management’s role in assessing and managing material risks from cybersecurity threats.
Form 8-K Item 1.05Material Cybersecurity Incidents Registered companies must disclose any cybersecurity incident they experience that is determined to be material and describe the material aspects of its: (1) nature, scope, and timing; and (2) impact or reasonably likely impact.

Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

Form 20-F Foreign Private Issuers (“FPIs”) must:

  • Describe the board of director’s oversight of risks of cybersecurity threats.
  • Describe management’s role in assessing and managing material risks from cybersecurity threats.
Form 6-K FPIs must provide information on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or security holders.

Preparation for the New Rule

Beginning in December of 2023, public companies will be required to make appropriate disclosures in their annual filings and provide disclosures when a material cybersecurity incident occurs. Public companies should begin preparing for the new disclosure requirements immediately, and should consider evaluating and revising the following policies and procedures regarding cybersecurity attacks:

  1. Revise Cybersecurity Internal Policies: companies should review and evaluate their internal cybersecurity policies to ensure that the policies comply with current legal requirements, outline how the company responds to cybersecurity risks, incidents, and material incidents, and ensure the internal reporting processes comply with the new disclosure requirements in Form 8-K.
  2. Evaluate Cybersecurity Systems: companies should also assess their current cybersecurity systems to ensure the systems are adequate to prevent cybersecurity threats, mitigate cybersecurity incidents when they occur, and allow the company to adapt quickly and efficiently to a cybersecurity threat or incident.
  3. Create an Information Management Team: companies should consider creating an information management team that assesses cybersecurity threats, responds to those threats, and provides information to the company’s management and board of directors.
  4. Training and Education: companies should also consider ongoing training and education for employees and management given the constantly evolving cybersecurity threats that may occur within the company. Companies should stay abreast of cybersecurity incidents and provide training to employees and management regarding cybersecurity threats.
  5. Review Agreements with Third-Party Vendors: companies should also review their agreements with third-party vendors to ensure that vendors are also complying with the incident reporting and disclosure requirements under the new rule. Unfortunately, in many instances, cybersecurity incidents occur because of issues arising from third-party vendors to the company, and companies should begin reviewing and evaluating those third-party agreements to ensure that their vendors are also promptly reporting cybersecurity incidents when they occur.

[1] See SEC Press Release, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, June 26, 2013, available at: https://www.sec.gov/news/press-release/2023-139.

[2] See Securities and Exchange Commission, Final Rule, 17 CFR Parts 229, 232, 239, 240, and 240 [Release Nos. 33-11216; 34-97989], at 12-13, available at: https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

Author

  • Marian Massey

    Marian’s practice includes multi-jurisdictional experience in both the trial and appellate courts including employment matters, breach of contract disputes, trade secret claims, as well as shareholder and partnership disputes.

    View all posts