SEC Adopts Final Rules Requiring Cybersecurity Disclosures to the Market
by: Dave Radmore
Last week, on July 26, the SEC announced that it has finalized new rules, initially proposed in March 2022, that require public companies to disclose material cybersecurity incidents and to provide regular disclosures regarding their cybersecurity risk management practices. The intent of the rules is to formalize existing informal guidance and provide more uniform methods of disclosing cybersecurity risks to the market. The finalized rules will go into effect 30 days after their publication in the Federal Register, meaning that for those companies whose fiscal years end on or after December 15, 2023, disclosures regarding cybersecurity practices will need to be included in their forthcoming annual reports. This post summarizes the key elements of the new rules that companies with SEC disclosure obligations will need to be aware of.
Disclosure of Material Cybersecurity Incident
Companies that experience material cybersecurity incidents will be required to make Form 8-K public disclosures regarding such incidents. The SEC rule requires a company to determine whether a particular cybersecurity incident is “material” after discovery of the incident without unreasonable delay. A cybersecurity incident is considered material where there is a substantial likelihood that a reasonable shareholder would consider the incident important in making an investment decision. A company must err on the side of disclosure, resolving any doubts about whether a cybersecurity incident may be material in favor of investors.
The SEC specifies that the 8-K disclosure must describe the nature, scope and timing of the disclosed cybersecurity incident, along with the material impact or reasonably likely material impact of the incident on the company, including impact on the company’s operations and financial conditions. Companies are required to file their disclosures within 4 business days of the company making its determination that an incident was “material” unless such disclosure poses a substantial risk to national security or public safety, which may only be determined by the US Attorney General. This disclosure time frame likely means that in many cases an incident may not have been resolved, and may even still be in process, by the time disclosure must be made. Acknowledging that possibility, the SEC rule mandates that companies are required to file amendments to their disclosures if and when new material information is discovered after the company’s initial filings.
In its discussion of the final rule, the SEC noted that impact on a company’s financial condition is not the only type of material impact a company should consider in its disclosures, suggesting that reputational harm, damage to customer or vendor relationships, impacts to competitiveness, and the possibility of litigation or regulatory action against the company as other examples of material impact that should be considered in disclosures.
The SEC final rule also requires a company to disclose a cybersecurity incident affecting the company’s data but that occurs on its third-party vendor’s systems. Note that this approach is consistent with the responsibilities a business retains for its customer personal information that is processed by third party service provider under various privacy laws.
Disclosure of Cybersecurity Practices in Annual Reports
In addition to disclosure of material cybersecurity incidents when they occur, the SEC final rule requires companies to provide descriptions of their cybersecurity risk management processes in their annual reports. The rule requires companies provide descriptions of their processes for identifying and managing material risks from cybersecurity threats, whether any third party consultants are engaged in connection with such processes, and any processes implemented by the company to identify and manage cybersecurity risks associated with use of third-party vendors. The SEC specifically noted in its discussion of the final rule that companies are not expected to provide a list of their third party vendors and the services provided by each vendor in these disclosures.
A company’s description of its cybersecurity processes is required to be made with sufficient detail that a reasonable investor can understand those processes. However, a company need not include sensitive details for which public disclosure could increase the company’s risk of a cyber-attack.
In addition to describing its cybersecurity processes, the final rule further requires that companies provide a description of the company management’s and board of directors’ oversight of cybersecurity risks, including identifying if any board committee or subcommittee has been formed to manage such risks, and disclosing what management positions (e.g. Chief Infosec Officer) or management committees are responsible for managing the company’s cybersecurity risks. The company must also describe the relevant expertise of its people in management positions overseeing cybersecurity risk, and whether management reports information about cybersecurity risks to the board of directors.
What does this mean for my company?
On the one hand, the new rule formalizes disclosure obligations that many companies may have already observed in their annual reports. However, the incident disclosure elements of the rule add an additional disclosure obligation that public companies will need to incorporate into their cybersecurity response procedures, and in some cases will require public disclosures while still in the process of responding to and mitigating an ongoing cybersecurity incident. Moreover, the formalized disclosure obligations will increase the need for public companies to ensure that they have robust cybersecurity processes in place, not only to mitigate cybersecurity risks but now also risks of investor lawsuits alleging inadequate cybersecurity risk management.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.