The Securities and Exchange Commission’s Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Written By Ellie Rotvold

January 5, 2024

INTRODUCTION 

We have prepared this memorandum (the “Memo”) to summarize the final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rule”) by the Securities and Exchange Commission (the “SEC“).

On July 26, 2023, the SEC adopted the Rule which requires public companies to report and disclose: 

  1. Material cybersecurity incidents if and when they occur, on a Current Report on Form 8-K; and 

  2. In their Annual Reports on Form 10-K: (a) their cybersecurity risk management and strategy, and (b) their governance with respect to the oversight role of the board and management on cybersecurity. 

DEFINITIONS

The Rule provides the following definitions for Cybersecurity Incident, Cybersecurity Threat, and Information Systems:

  1. Cybersecurity Incident is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

  2. Cybersecurity Threat is defined as “any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” 

  3. Information Systems is defined as “electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.”

In the sections below, we have provided the salient provisions and requirements of the Rule and the reporting obligations of the Company.

SALIENT PROVISIONS OF THE RULE

1. Disclosure of Cybersecurity Incidents on Current Reports (Form 8-K trigger)

The Rule introduces a new item 1.05 to Form 8-K, which requires disclosure within four business days after the Company determines that a cybersecurity incident is material.

Materiality

A cybersecurity incident is material if there is a substantial likelihood that a reasonable investor would consider the information, event, or occurrence important in making an investment decision or, if the event would have significantly altered the ‘total mix’ of information made available.  Doubts as to the critical nature of the information should be resolved in favor of the disclosure.  The analysis should also take into account qualitative and quantitative factors.

Disclosure required in the Form 8-K

In disclosing material cybersecurity incidents, the Company is required to describe:

  1. The material aspects of the nature, scope, and timing of the cybersecurity incident; and

  2. The material impact or reasonably likely impact on the Company, including its financial condition and results of operations. 

The Company need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, or potential system vulnerabilities, in such detail as would impede the Company’s response or remediation of the incident.

When disclosure can be delayed

Only following a determination by the U.S. Attorney General that a disclosure poses a substantial risk to national security or public safety, may the Company delay disclosure of a material cybersecurity incident for up to 30 days.  An extension of an additional 30 days is permissible if, upon reevaluation, the Attorney General deems that the risk persists.  In extraordinary circumstances, a final extension of up to 60 days may be granted.  The Attorney General is required to communicate these determinations to the SEC in writing. 

For companies covered by the Federal Communications Commission’s (FCC) notification rule governing breaches of customer proprietary network information (CPNI), the Form 8-K disclosure may be deferred for a period of up to seven business days following notification to both the U.S. Secret Service and the Federal Bureau of Investigation, in accordance with FCC regulations.

When disclosure should be updated

The Company is required to amend a prior Form 8-K to disclose any information required to be disclosed under Item 1.05 of Form 8-K that was not determined or was unavailable at the time of the initial Form 8-K filing.

Safeguard Provisions

The Rule includes provisions that act as a safeguard, limiting the Company’s potential loss or liability. An untimely filing under Item 1.05 does not lead to a forfeiture of Form S-3 eligibility, and the failure to file the Item 1.05 Form 8-K is not considered a violation of Section 10(b) and Exchange Act Rule 10b-5. 

However, the Rule does not grant exemptions or safe harbors for incidents on third-party platforms as the SEC states that the obligation to disclose cybersecurity incidents extends to those occurring on third-party systems used by the Company.

Date to Comply with this Requirement

Companies, excluding Smaller Reporting Companies (SRCs), must begin complying with the current reporting of material cybersecurity incidents (on Form 8-K or Form 6-K, as applicable) on December 18, 2023.

SRCs have been granted an additional 180 days and must commence compliance with Form 8-K reporting of material cybersecurity incidents on June 15, 2024.

2. Disclosures of Cybersecurity Incidents in Annual Reports (Risk Management, Strategy and Governance)

In Annual Reports (Form 10-K) filed with the SEC, the Rule requires the Company to describe the processes which it uses to assess, identify, and manage cybersecurity risks; the Board’s oversight of these risks; and management’s role in assessing and managing these risks. 

Risk Management and Strategy

The Rule introduces a new Item 106 of Regulation S-K which requires a description of the Company’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. 

We note that the Rule requires the disclosure of “processes” rather than “policies and procedures,” meaning that even if the Company lacks a formal written policy, it will still have to disclose their actual cybersecurity practices.  The SEC notes that using the term “processes” prevents the disclosure of operational details that could be exploited by malicious actors. 

In compliance with the newly introduced Item 106, while providing such disclosure, the Company is required to address, as applicable, the following non-exclusive list of disclosure items: 

  1. Whether and how the described processes have been integrated into the Company’s overall risk management system or processes;

  2. Whether the Company engages assessors, consultants, auditors, or other third parties in connection with any such processes;

  3. Whether the Company has processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers; and

  4. Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition and if so, how.

Governance

Further, the Company is required to disclose information related to the Board and management’s roles relating to cybersecurity.

For the Board, the Company is required to describe: 

  1. The Board’s oversight of risks from cybersecurity threats and, if applicable, any Board committee or subcommittee responsible for such oversight, and 

  2. The processes by which the Board or Board committee is informed about such risks. 

Regarding the role of management, the Company is required to describe management’s role in assessing and managing material risks from cybersecurity threats, with such disclosure addressing, as applicable, the following non-exclusive list of disclosure items: 

  1. Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise.  The relevant expertise of management may include prior work experience in cybersecurity; any relevant degrees or certifications; and any knowledge, skills, or other background in cybersecurity;

  2. The processes and frequency by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and/or

  3. Whether such persons or committees report information about such risks to the Board or a Board committee or subcommittee.

Date to Comply with this Requirement

All reporting companies must incorporate cybersecurity risk management, strategy, and governance disclosures in their annual reports for fiscal years ending on or after December 15, 2023.

3. Foreign Private Issuers 

Amendments to Forms 20-F introduces disclosure obligations for foreign private issuers parallel those applicable to domestic issuers under Regulation S-K Item 106.  Additionally, the Rule adds “material cybersecurity incidents” to the items that may trigger a current report on Form 6-K. Foreign private issuers are also required to submit on Form 6-K, details concerning material cybersecurity incidents disclosed or made public in a foreign jurisdiction, to any stock exchange, or to security holders.

4. Inline eXtensible Business Reporting Language (“Inline XBRL”) Tagging Requirement

All new disclosure requirements must be tagged in Inline XBRL (including by block text tagging for narrative disclosures and detail tagging for quantitative amounts) with a staggered compliance date of one year (i.e., beginning one year after the initial compliance date for the applicable disclosure requirement).  This can be managed by the Company’s Edgar Agent. 

DISCLOSURE OBLIGATIONS UNDER THE RULE

CONCLUSION

It is imperative to comply with the Rule and to ensure that systems and processes are established to ensure ongoing compliance.  This may involve continuous monitoring, assessment, and improvement of cybersecurity measures.  A commitment to these practices not only aligns with regulatory expectations but may also position the Company as a responsible and secure entity.  

This memo is intended for general information purposes and should not be construed as legal advice.  If you have questions or would like more insights on the topic discussed herein, please contact any of the following members of our Corporate & Securities team at (949) 788-8900 or directly to their email address as follows:

  • Lynne Bolduc, Partner (lbolduc@fkbrlegal.com) 

  • Josephine Aranda, Senior Associate (jaranda@fkbrlegal.com)

  • Ikechukwu Ubaka, Associate (iubaka@fkbrlegal.com)

Ellie Rotvold
Previous

Quick Take: Omnibus Equity Incentive Plans
Next

The California Minimum Corporate Franchise Tax Waiver for New LLCs Has Not Been Extended for 2024