The SEC adopted final rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
Form 8-K Item 1.05 – Material Cybersecurity Incidents
Required Disclosure
Form 8-K, Item 1.05 provides that if a registrant experiences a cybersecurity incident that is determined by the registrant to be material, the registrant must describe in Form 8-K the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
A “cybersecurity incident” is defined to mean an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. “Information systems” is defined to mean electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
The required information must be provided in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual.
A report pursuant to Item 1.05 must be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident. A registrant’s materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident.
To the extent that the information called for in Item 1.05 is not determined or is unavailable at the time of the required filing, the registrant must include a statement to that effect in the filing and then must file an amendment to its Form 8-K filing under this Item 1.05 containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.
A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
Materiality Assessment
The SEC declined to provide additional guidance regarding the application of a materiality determination to cybersecurity and declined to replace materiality with a significance standard. The SEC expects that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces. According to the SEC, carving out a cybersecurity-specific materiality definition would mark a significant departure from current practice, and would not be consistent with the intent of the final rules. Accordingly, the SEC reiterated, consistent with the standard set out in the cases addressing materiality in the securities laws, that information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” Because materiality’s focus on the total mix of information is from the perspective of a reasonable investor, companies assessing the materiality of cybersecurity incidents, risks, and related issues should do so through the lens of the reasonable investor. The evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors. Thus, for example, when a registrant experiences a data breach, it should consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis. The SEC also noted that, given the fact-specific nature of the materiality determination, the same incident that affects multiple registrants may not become reportable at the same time, and it may be reportable for some registrants but not others.
Form 10-K, Item 1C
Registrants will be required to disclose the information required by Item 106 in Form 10-K. The information required by this Item must be disclosed in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. The information includes:
Risk management and strategy
A description of the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
A “cybersecurity threat” is defined to mean any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Governance
Registrant’s are also required to describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, the registrant must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.
Management’s role in assessing and managing the registrant’s material risks from cybersecurity threats must also be disclosed. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Board of Directors’ Cybersecurity Expertise
The SEC declined to adopt disclosures regarding cybersecurity expertise of directors in the final rules.
S-3 Eligibility
General Instruction I.A.3.(b) of Form S-3 was amended so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.
Implementation Deadlines The final rules will become effective 30 days following publication of the adopting release in the Federal Register. With respect to Regulation S-K Item 106, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Form 8-K Item 1.05, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.