SEC Adopts Rule Regarding Cybersecurity Incident Reporting

November 17, 2023

The U.S. Securities and Exchange Commission (the “SEC”) adopted new rules aimed at enhancing cybersecurity incident reporting by public companies. Specifically, a public company will be required to disclose:

  • in its annual report on Form 10-K or Form 20-F, its internal processes for assessing, identifying and managing material cybersecurity threats;   and
  • in its periodic reports on Form 8-K or Form 6-K, any “material cybersecurity incident.” .

Under the adopted rules, a “cybersecurity incident” is defined as an “unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein” and a “cybersecurity threat” is defined as “any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” 1

  1. Disclosure Requirements

Annual Reports on Form 10-K and 20-F

New Item 1C (“Cybersecurity”) requires an issuer completing its annual report on Form 10-K to furnish the information required by Item 106 of Regulation S-K.

New Item 16K (“Cybersecurity”) requires an issuer completing its annual report on Form 20-F to furnish certain information relating to a company’s cybersecurity risk management. The language of Item 16K mirrors the that of Item 106 of Regulation S-K.

Companies will be subject to two new annual disclosure requirements.

Risk Management and Strategy

Under Item 106(b) or Item 16K(b) a company must describe:

(i) Its processes (if any) for the assessment, identification and management of material risks from cybersecurity threats. This disclosure should address:

  • how such processes have been integrated into a company’s overall risk management system;
  • whether a company has engaged any consultants, advisors or third parties in connection with its cybersecurity risk management system; and
  • whether a company has processes to oversee and identify any cybersecurity risks that may result from a company’s use of a third-party service provider.

(ii) Whether and how any risks from cybersecurity threats have materially affected (or are reasonably likely to materially affect) a company’s business strategy, results of operations or financial condition.

Governance

Under Item 106(c) or Item 16K(c) a company must describe:

(i) How its board of directors oversees risks from cybersecurity threats, including whether any committee or subcommittee is responsible for the oversight of risks from cybersecurity threats and the processes by which the board of directors or such committee is informed about such risks.

(ii) Management’s role in assessing and handling material risks from cybersecurity threats. This disclosure should address:

  • which management positions (if any) are responsible for assessing and managing material cybersecurity risks and the relevant expertise of such responsible persons;
  • how management is informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incident; and
  • whether management reports information about such risks to a company’s board of directors or a committee thereof.

Issuers filing annual reports on Form 10-K or Form 20-F must provide disclosure under Item 1C and Item 16K, respectively, beginning with annual reports for fiscal years ending on or after December 15, 2023.

Current Reports on Form 8-K and 6-K

For domestic filers, the rules add new Item 1.05 (“Material Cybersecurity Incidents”) to Form 8-K. The new Item requires the issuer to report any material cybersecurity incident within four business days after determining that the incident is “material.” The disclosure must describe:

  • the material aspects of the nature, scope and timing of the incident; and
  • the impact or reasonably likely impact on the company, including any impact on its financial condition and results of operations.

There are two exceptions to the reporting requirement. A company reporting a cybersecurity incident under Item 1.05 is not required to disclose: (1) specific or technical information about the company’s planned response to the incident or its cybersecurity systems, networks and technology, and (2) any vulnerabilities thereof in such details that would impede the company’s ability to remedy or respond to the incident.  In addition, a public company may delay disclosure of a material cybersecurity incident for up to 30 days if the U.S. Attorney General informs the SEC that disclosure would pose a substantial risk to national security or public safety, and this period could be extended by another 60 days in extraordinary circumstances.  The new rule also aligns with the Federal Communications Commission’s notification requirements regarding breaches of customer proprietary network information by allowing a delay in reporting such an incident in order to comply with FCC requirements.

The SEC  did not define what makes a cybersecurity incident “material.” Instead, the SEC instructs public companies to use the same analysis as it would use for other securities law purposes, as described in greater detail below.

Domestic issuers must be compliant with cybersecurity incident reporting on Form 8-K by December 18, 2023.

Foreign private issuers have more flexibility in publicly reporting material cybersecurity incidents on Form 6-K. Foreign private issuers should be guided by the Form 8-K requirements and as with all other reporting under Form 6-K, if a cybersecurity incident is required to be reported under a company’s home country rules or on any stock exchange the where the company’s securities are traded on or is otherwise provided to security holders, the incident also is required to be furnished on Form 6-K.

With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

II. Materiality Determination

A public company is only required to report those cybersecurity incidents that it deems to be “material”. The adopted rules do not define when a cybersecurity incident is considered “material” or provide any bright line tests. However, the SEC provided the following guidelines and considerations for companies when analyzing incidents and making materiality determinations.

  • The SEC expects companies to apply the “reasonable investor” standard to any analysis, explaining in the final rule that under such standard “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have significantly altered the ‘total mix’ of information made available.” [1] Companies should consider both the immediate and long-term impacts of a given cybersecurity incident or breach, including effects on a company’s operations, financial condition, reputation, competitiveness and customer relationships. Companies should also consider whether the incident could potentially or is likely to result in litigation or regulatory investigation.
  • As described above, the definition of “cybersecurity incident” extends to “series of related unauthorized occurrences,” which may include repeat smaller but continuous cyberattacks by one actor, or a series of related attacks targeting the same vulnerability in company’s system by multiple actors. In such scenarios, the actions collectively may have a material impact on the company.
  • Not all cybersecurity incidents result in quantifiable harm, however, the SEC notes that unquantifiable harms to employees, customers, individuals, third parties or a company’s reputation could result in a determination that the incident was material.
  • The SEC has also stressed that the fact that the incident did not occur on a company’s internal systems does not mean an incident is immaterial for reporting purposes. Therefore, a breach occurring on a third-party system that housed the company’s data could still be considered material to the company.

Foreign private issuers required or choosing to report any cybersecurity incident on Form 6-K should consider the same guidelines in their materiality determinations.

III. Practical Suggestions for Compliance

While reporting under the adopted rules will not impact companies until the end of the year, we recommend issuers begin preparing for the reporting requirements by considering the following:

Establish an Incident Detection and Response Plan

  • A company should establish or update its incident response plan to: (1) identify potential cybersecurity incidents; (2) contain, remedy and respond to incidents; (3) assess the materiality of such incidents (both individually and in the aggregate); and (4) disclose material incidents (if relevant or necessary).
  • If a company engages third-party providers, it should ensure that there is sufficient communication between management and representatives of that third-party provider, as well as an established plan of action for detecting and remedying cybersecurity breaches on the providers’ system, so as to avoid any cybersecurity threats or incidents being left undetected.
  • A company’s incident response plan should be distributed to company management and board of directors.

Record Keeping

  • In view of the short time period between a registrant’s determination that an incident is material and the requirement to report that incident on a Form 8-K for domestic issuers (and, in certain instances, on Form 6-K for foreign private issuers), company management assigned to cybersecurity oversight procedures should carefully document relevant dates including, but not limited to, the cybersecurity breach, remediation of such breach and determination of materiality (or immateriality). It is important and best practice to establish and maintain a cohesive timeline for any material incidents for internal record keeping purposes, as well as any public reporting purposes. Companies should take necessary steps to keep any such communications confidential.

Establish a Board of Directors Risk Management Program

  • A company should establish or update the board of director’s risk management program/plan to ensure it encompasses cybersecurity issues, including cybersecurity incident detection and reporting, as relevant to the newly adopted SEC rules. A company should also consider assigning risk management of cybersecurity issues to a relevant committee of the board of directors, such as a corporate governance committee (if already established).

Draft Required Disclosures for Inclusion in Next Annual Report

  • Once a company is near the end of its fiscal year, it should prepare the relevant disclosure to include in its annual report. Seward & Kissel LLP is available to assist in drafting and reviewing such disclosure.

______________________________________________________

1 These terms are defined in new Item 106(a) of Regulation S-K, as adopted by the SEC.

2 Quoting TSC Industries, Inc. v. Nortway, Inc. (426 U.S. 438, 449 (1976)).