SEC Finalizes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies
Highlights
- The long-awaited U.S. Securities and Exchange Commission (SEC) cybersecurity rules for public companies have finally arrived, with some improvements from the proposed rules released in March 2022.
- Still, the final rules will likely create significant compliance challenges as well as litigation and enforcement risks for public companies. Bottom line, companies will need to thoroughly analyze their internal disclosure controls with respect to cybersecurity threats and incidents, reassess their cybersecurity risk management processes and governance practices, and expend substantial effort in drafting their cybersecurity disclosures to minimize such risks.
- This Holland & Knight alert provides a closer look at the SEC's final rules and offers a number of key takeaways and considerations for public companies.
The long-awaited U.S. Securities and Exchange Commission (SEC) cybersecurity rules for public companies have finally arrived. On July 26, 2023, a divided SEC adopted new rules requiring each public company to, among other things, 1) report a material cybersecurity incident within four business days after determining that such incident is material, 2) describe its processes for assessing, identifying and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations or financial condition, and 3) disclose its cybersecurity governance practices, including the board's oversight of cybersecurity risk and management's process to manage, monitor, detect, mitigate and remediate cybersecurity incidents.
Public companies must comply with the cybersecurity incident reporting obligations 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later. Smaller reporting companies are given an additional 180 days to comply. Public companies must provide the other disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023; the rules are applicable to foreign private issuers (FPIs).1
Since his arrival at the SEC, Chair Gary Gensler has indicated that the agency will use its rulemaking powers to regulate the cybersecurity posture and resiliency of reporting companies and other SEC regulated entities. As part of those efforts, in March 2022, the SEC proposed cybersecurity risk and incident disclosure rules for public companies, which received more than 150 comments.2 The final rules somewhat reduce and narrow the overly granular aspects of those proposed rules (e.g., status of remediation and data compromise in cybersecurity incident Form 8-K disclosures, risk management activities taken to prevent and detect cybersecurity incidents, cybersecurity expertise on the board, etc.).
Despite these improvements, the final rules were not adopted without controversy and generated vigorous dissents from Commissioners Hester Peirce and Mark Uyeda, who viewed the final rules as an overreach of SEC authority, of dubious benefit to investors and as potential aids to cybercriminals. They also raised concerns with respect to the time pressure that public companies will be under to report cybersecurity incidents, likely based on incomplete information, which might induce speculative trading. In addition, these rules will likely create significant litigation and enforcement risks for public companies. Bottom line, public companies will need to thoroughly analyze their internal disclosure controls with respect to cybersecurity threats and incidents, reassess their cybersecurity risk management processes and governance practices, and expend substantial effort in drafting their cybersecurity disclosures to minimize these risks.
This Holland & Knight alert provides a summary of the final rules and offers some key takeaways. For a redline of the new and amended text of Forms 8-K and 10-K, as well as the text of new Item 106 of Regulation S-K, see Appendix A.
Cybersecurity Requirements for Public Companies
Reporting Material Cybersecurity Incidents
The SEC has amended Form 8-K by adding new Item 1.05 to require public companies to disclose, within four business days after the company determines that it has experienced a material "cybersecurity incident," certain information about the incident.3 Expanding on the proposed rules definition, a "cybersecurity incident" is now defined as "an unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The SEC emphasized that what constitutes a "cybersecurity incident" should be "construed broadly …" and may include an accidental exposure of data.
The final rules substantially departed from the proposed rules with respect to the required information to be disclosed related to a material cybersecurity incident. Instead of the litany of items concerning the cybersecurity incident (such as whether data was compromised and whether the incident has been remediated), disclosure will be primarily focused on "the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself." To that end, for each material cybersecurity incident, Item 1.05(a) will require registrants to describe:
- the material aspects of the nature, scope and timing of the incident, and
- the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.4
The SEC, however, included an Instruction to Item 1.05 that a "registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."
Notably, the triggering event for disclosure is not the date of the cybersecurity incident. Instead, disclosure would be required within four business days after the company determines that a cybersecurity incident it has experienced is material. The SEC dedicated a substantial portion of the final rule release to address comments concerning this timing requirement and clarified that public companies need to gather sufficient information after the discovery of the incident in order to conduct the materiality determination. The SEC noted that "[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered," and "in the majority of cases registrants will have had additional time leading up to the materiality determination, such that disclosure becoming due less than a week after discovery should be uncommon." Notwithstanding the permitted exercise of discretion (which is consistent with the longstanding concept of "ripeness" in determining materiality), the SEC expects public companies to make their materiality determinations "without unreasonable delay."5 In addition, the SEC expects public companies to report cybersecurity incidents within four business days even if companies do not have complete information about the incident but know enough to determine that an incident is material.
Materiality is to be determined under long-standing precedent: whether there is a substantial likelihood that a reasonable shareholder would consider the information as important or as having significantly altered the total mix of information made available.6 The SEC acknowledged that this materiality analysis "is not a mechanical exercise" but rather would require the company to consider "all relevant facts and circumstances surrounding the cybersecurity incident."7
One of the more significant changes from the proposed rule is the inclusion of a highly limited delay provision mirroring the one offered up by the agency concerning the proposed Safeguards Rule for regulated entities. A public company may delay notification for up to 30 days only if the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety and so notifies the SEC of this determination. If the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety, the delay can be extended a second time for up to an additional 30 days and, in extraordinary circumstances, it can be extended a third time for an additional 60 days. Thereafter, if the Attorney General indicates that further delay is necessary, the SEC will consider the request and may grant relief only through an exemptive order.8
In response to public comments, the SEC somewhat streamlined the proposed requirements to update cybersecurity incident disclosure by removing express requirements to report further material developments regarding an incident in Forms 10-Q and 10-K, which would have required companies to provide periodic updates about previously disclosed cybersecurity incidents when a material change, addition or update occurred.9 Presumably, however, registrants may need to include information in their periodic reports regarding the status of cybersecurity incidents disclosed in Forms 8-K, particularly if an incident creates potentially material uncertainties, costs or other adverse implications.
The SEC will make the cybersecurity incident reporting on Form 8-K subject to a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act for a failure to timely file.10 Importantly, this limited safe harbor does not exempt companies from antifraud liability – or other liability under other provisions of the federal securities laws – for representations made in Form 8-K or elsewhere concerning a cybersecurity incident or its cybersecurity risk. Notably, a failure to timely file an Item 1.05 Form 8-K would not affect a public company's ability to register securities on Form S-3.
Disclosures of Cybersecurity Risk Management and Strategy
The final rules add Item 106(b) to Regulation S-K, which requires detailed disclosure about a public company's cybersecurity risk management processes.11 The SEC again scaled back the proposed rule, removing certain granular disclosure requirements, such as the activities it undertakes to prevent, detect and minimize effects of cybersecurity incidents. However, as adopted, the new rules require public companies to describe their "processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats12 in sufficient detail for a reasonable investor to understand those processes." Such disclosures "should address" the following nonexclusive list of items:
- whether and how any such processes have been integrated into the registrant's overall risk management system or processes
- whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes, and
- whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider
In addition, public companies must describe "whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how." The new disclosure requirements will apply primarily to Form 10-K.
Cybersecurity Governance Disclosures
The SEC also added two additional items under Item 106(c) of Regulation S-K, which requires public companies to make two governance-related disclosures concerning: 1) board oversight of cybersecurity risks and associated processes, and 2) management's role in assessing and managing material cybersecurity risks.
New Item 106(c)(1) of Regulation S-K requires public companies to describe board oversight of risks from cybersecurity threats. In addition, if applicable, public companies are to "identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats," and describe "the processes by which the board or such committee is informed about such risks."
With respect to management, new Item 106(c)(2) of Regulation S-K requires public companies to describe management's role in assessing and managing material risks from cybersecurity threats. Disclosure under this section should address the following nonexclusive items:
- whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise
- the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and
- whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors
Key Takeaways
The Final Rules Are Less Burdensome Than the Proposed Rules
As noted above, the proposed rules would have required disclosure of granular details concerning cybersecurity incidents and public companies' cybersecurity risk management policies and procedures, and would have placed heavy burdens on public companies to provide periodic reports of cybersecurity incidents and to assess the materiality of aggregated incidents.
The final rules eliminate many of these requirements and substantially reduce the disclosure burden. As a result, the final rules are more streamlined and manageable in comparison, and strike a better balance between informing investors and increasing the disclosure obligations and risks for public companies. The final rules also reduce, but do not eliminate, the increased cybersecurity risks the proposed rules would have created.
The Final Rules Could Create Additional Cybersecurity Risk
Although the final rules are less burdensome than proposed, the content of the final disclosures still could have the unintended result of making public companies more vulnerable to cyberattacks. If the disclosure of a company's cybersecurity risk management processes is expected to assist a non-cybersecurity expert in making informed investment decisions related to such company's cybersecurity posture and resiliency, then such disclosures will equally (if not more so) assist savvy cybercriminals in making their assessments concerning the cybersecurity posture and resiliency of such company. Cybercriminals potentially could hoist a public company with its own petard13 by utilizing its disclosure of cybersecurity risk management processes to identify vulnerabilities and design strategic cyberattacks against it.
Additionally, the public disclosure of a material cybersecurity incident prior to full containment and remediation could provide opportunities for cybercriminals to further target victim companies or their affected customers, employees or other constituents. Similarly, the disclosure of a material ransomware attack during the pendency of negotiations also could adversely affect a company's ransomware negotiation position and strategy.
The Final Rules Create Significant Litigation Risks
The incident reporting rules require public companies to disclose material aspects of the nature, scope and timing of a material cybersecurity incident. By requiring this disclosure within four business days after determining materiality, the Form 8-K filing may likely precede data breach notices to individuals and state Attorney General notices, as well as notices to all potentially affected business partners, customers and clients. Furthermore, providing such details prior to the completion of a forensic investigation and data mining efforts is likely to expose a company to premature litigation before it has a complete picture of the impact of the cybersecurity incident. Also, as many incident response investigations are conducted under attorney-client and work product privileges, disclosure of material aspects of the incident could potentially undermine the confidentiality associated with investigating the incident.
In addition to these risks, both the cybersecurity incident reporting obligations and cybersecurity risk management disclosures create significant risks that the SEC's Division of Enforcement and private litigants will use the company's representations as potential bases for liability under antifraud provisions and other grounds. The SEC's Division of Enforcement has already shown a willingness to charge violations of the disclosure controls and procedures provisions under the federal securities laws to hold companies liable in connection with cybersecurity incidents. The additional disclosure requirements of Items 106 of Regulation S-K present risks that the Division of Enforcement will utilize such provisions to penalize companies after they have been the victims of cybersecurity incidents.
To reduce some of these risks, public companies will need to assess their internal disclosure controls and procedures with respect to cybersecurity threats, develop policies and procedures to determine materiality of a reported cybersecurity threat or incident, ensure that these incidents are reported to senior management who are charged with authorizing public disclosures and carefully draft these required disclosures.
Third-Party Risks Create Heavy Burdens on Public Companies
The SEC highlighted companies' "increasing reliance on third-party service providers for information technology services …" as one of the reasons cybersecurity risks have increased.14 In addition, the final rules define information systems to include "information resources owned or used by the registrant,"15 and the SEC has recognized that this definition is intended to include third-party service providers.16 In the event of a cybersecurity incident at a third-party vendor, public companies may have difficulty obtaining timely information or obtaining sufficient details to make a materiality determination or disclose all the information required by Item 1.05 of Form 8-K.
Although the SEC recognized that public companies "may have reduced visibility into third-party systems" that they neither control nor own, the only guidance it provided was that public companies "should disclose based on the information available to them," and that the "final rules generally do not require that registrants conduct additional inquiries outside of their regulator channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants' disclosure controls and procedures."17 Nevertheless, there will be ample opportunity to second guess a public company regarding what it knew or should have known about a cybersecurity incident at a third party and its potential impact on the company.
To reduce some of this risk, public companies (and companies considering becoming public companies) may want to reassess their cybersecurity and data privacy risks associated with their vendor management programs. This may include conducting due diligence reviews and cybersecurity audits, including contractual provisions to ensure timely and detailed cyber incident reporting, or even reconsidering the mix of internal and outsourced information technology systems.
The Delay Notification Provision Is Highly Limited and Impractical
Unlike state data breach laws that permit notifications to be delayed when law enforcement determines such notifications will impede an investigation, the SEC permits delayed notifications only for national security and public safety risks. In doing so, the SEC appears to strike an uncertain balance between the needs of investors and those of law enforcement, notwithstanding that the investing public may benefit far more from unimpeded criminal investigations against cybercriminals.
Moreover, the U.S. Attorney General must make the national security and public safety determination. Obtaining the Attorney General's approval within four days of a materiality determination will likely be difficult in practice. The process may even be burdensome for the Attorney General when factoring in the volume of cybersecurity incidents and the number of public companies that may be implicated by a particular incident. As noted earlier, details regarding the process to seek such a determination are yet to come.
The Final Rules Will Require Public Companies to Take Prompt Action
While not an express purpose of the final rules, there is little doubt that they reflect a desire of the SEC to influence corporate governance at public companies. As identified in the dissenting statement on the proposed rules issued by Commissioner Peirce, the final rules may affect the composition of boards of directors and management teams, and will likely cause substantive changes to management policies and procedures related to cybersecurity matters. In light of these final rules, each public company should carefully review its cybersecurity staffing and management teams. Integrating cybersecurity risk management into overall enterprise risk management will be more important than ever given the public spotlight that will now be focused upon these issues.
Each public company should also review how it allocates cybersecurity risk oversight at the board level and ensure that the board committees have sufficient authority and direction regarding these responsibilities. While likely directly implicating the audit committee, which often has charge of enterprise risk management, cybersecurity risk management may also require the attention of the compensation committee and the corporate governance committee insofar as managing these risks may have compensation and governance structure implications.
In addition, public companies should also review their disclosure controls and procedures surrounding cybersecurity to ensure that senior management is kept fully apprised of these events and is placed in the position to make well-informed decisions regarding disclosure of cybersecurity incidents. Even prior to these final rules, we have already seen at least two SEC enforcement actions based on inadequate disclosure controls and procedures with respect to cybersecurity matters.18
Although not the first time that Congress or the SEC has used disclosure to achieve substantive changes in corporate management,19 as noted above, the final rules are likely to have pervasive and unintended effects. Although the final rules eliminated a proposed requirement to identify board members with cybersecurity expertise, public companies will nevertheless have additional incentives to pursue directors with cybersecurity on their CVs, as well as to add to the ranks of their information technology management and staffs. Undoubtedly, the final rules will require public companies to devote increased time and financial resources to cyber risk management, governance and oversight, not only to protect themselves from substantive cybersecurity risk but also to protect themselves from securities litigation and enforcement risk.
Notes
1 For calendar year companies, the annual report for the year ended Dec. 31, 2023, will be the first report in which cybersecurity risk management disclosures will be required.
2 In addition to the proposed cybersecurity rule for public companies, the SEC proposed separate cybersecurity regulations for investment advisers and companies and amendments to Regulation S-P (Safeguards Rule).
3 For FPIs, the SEC is amending Form 6-K.
4 Public companies will need to assess cybersecurity incidents not only with respect to the systems that they own but also on information resources "used by" the company, including cloud-based storage devices and virtual infrastructure. The SEC clarifies, however, that the "final rules generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to applicable contracts and in accordance with registrants' disclosure controls and procedures."
5 Instruction 1 to Item 1.05 of Form 8-K.
6 See, e.g., Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976); Final Rule, at 80.
7 Final Rule, at 29 n.121.
8 The SEC stated that it has consulted with the U.S. Department of Justice (DOJ) to establish an interagency communication process to allow for the Attorney General's determination to be communicated to the SEC in a timely manner. The DOJ will notify the affected registrant that communication to the SEC has been made, so that the registrant may delay filing its Form 8-K. Presumably, further information regarding this process will be provided by SEC staff.
9 Instead, public companies will need to identify any Item 1.05(a) information that was not determined or available at the time the Form 8-K is initially filed and then file an amendment to the Form 8-K containing such information within four business days after learning the information.
10 See amendments to Rules 13a-11(c) and 15d-11(c).
11 For FPIs, the SEC is amending Form 20-F.
12 Cybersecurity threat is defined as "any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."
13 To borrow a line from Hamlet, Act 3, Scene 4, Line 207, Wm. Shakespeare.
14 Final Rule, at 7.
15 Item 106(a)(3).
16 Final Rule at 78-79.
17 Id., at 31.
18 In the Matter of Blackbaud, Inc. (2023); In the Matter of First American Financial Corporation (2021).
19 Other examples include relatively low reporting thresholds for environmental proceedings to encourage environmental law compliance, Compensation Discussion and Analysis disclosure to influence compensation decisions, changes to audit committees and the auditor relationship caused by the Sarbanes-Oxley Act, and required disclosures and changes to compensation committee activities caused by the Dodd-Frank Act.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.