New SEC Cybersecurity Rules What Public Companies Need to Know

New SEC Cybersecurity Rules: What Public Companies Need to Know

The Securities and Exchange Commission (SEC) has implemented new rules requiring all public companies, including emerging growth companies (EGCs) and smaller reporting companies (SRCs), to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategies, and governance policies.[1]

Why?

Gary Gensler, SEC Chairman, stresses that consistent cybersecurity disclosure is decision-critical for investors. Therefore, these new rules underscore the necessity for public companies to reinforce their cybersecurity strategies and provide comparable disclosures to maintain investors’ confidence despite increasing cybersecurity threats.[2]

What is New?

The new rules approved by the SEC created additional, specific reporting requirements:

  1. Item 1.05 of Form 8-K, Timely Disclosure of Cybersecurity Incidents: When a registrant experiences a material cybersecurity incident,it must promptly disclose the incident’s nature, scope, timing, and its material impact or likely impact on the registrant, including its financial condition and results of operations in a Form 8-K.[3]
    • The determination of materiality must be carried out without “unreasonable delay.” Please see the next section, “Key Details to Remember,” below for the appropriate definition of materiality.
    • Form 8-K must be filed within four business days after the registrant has determined a material cybersecurity incident occurred.Should any of the relevant information required for the disclosure be undeterminable at the time of the required filing, the registrant must include a statement to that effect in Form 8-K. Once any missing relevant information is determined after a filing, the registrant must amend such prior Form 8-K to disclose the information within four business days after it was determined.[4]
    • A National Security Delay is the only exception where a company may delay filing. If the US Attorney General determines the disclosure poses a substantial risk to national security or public safety and notifies the SEC of its determination in writing.[5]
  2. Item 106(b) of Form S-K, Disclosure of Cybersecurity Processes: Requires disclosure annually in Form 10-K of risk management, strategy, and governance, if any, regarding cybersecurity risks. Describe (1) the process or processes for assessing, identifying, and managing material risks from cybersecurity threats; (2) whether the registrant uses assessors, consultants, or third parties in connection with any such processes; and (3) whether any risks from previous cybersecurity incidents have materially affected or are reasonably likely to materially affect the registrant including its business strategy, results of operations, or financial condition and if so, how.[6]
  3. Item 106(c)(1) and (2) of Form S-K, Board Oversight and Management’s Expertise: Requires disclosure in Form 10-K of (1) the board of directors’ oversight of risks from cybersecurity threats; (2) when applicable, if any board committee or subcommittee is responsible for the oversight of cybersecurity risks and the processes by which they are informed of any such risks;[7] and (3) management’s role and expertise in assessing material risks from cybersecurity threats.

Key Details to Remember

  1. The definition of materiality remains the same. Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment, or if it would have significantly altered the ‘total mix’ of information made available.”[8]
  2. The definition of cybersecurity incident is broadened to include “a series of related unauthorized occurrences.” Thus, a cybersecurity incident is an “unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”[9]
  3. Failure to file an Item 1.05 of Form 8-K on time will not result in a registrant losing Form S-3 eligibility.[10]

When Do the New Regulations Take Effect? 

These new rules are effective thirty (30) days after they are published in the Federal Registrar. However, the SEC created several transition periods for compliance:

  1. Item 1.05 of Form 8-K: All companies, except SRCs, must comply with the incident disclosure requirements beginning ninety (90) days after the date of publication in the Federal Registrar or December 18, 2023, whichever date is later.[11]
    • SRCs have an additional 180 days before they must begin providing Item 1.05 disclosures. SRCs will need to comply with Item 1.05 disclosure requirements beginning 270 days after the date of publication in the Federal Register, or June 15, 2024, whichever date is later.[12]
  2. Item 106 of Form S-K: All companies must comply with the disclosure requirements beginning with their first annual reports for the fiscal year ending on or after December 15, 2023. [13]
  3. Inline XBRL: With respect to compliance with the structured data requirements, all registrants must tag disclosures required under these rules in Inline XBRL beginning one (1) year after initial compliance with the related disclosure requirement.[14] This means registrants have a grace period of one year after complying with the new disclosure rules before labeling or “tagging” of the data disclosed in a way that can be recognized and understood by the Inline XBRL system is required.

What Should Public Companies Do Now?

National governance of cybersecurity has taken a “stick” approach, as these new rules significantly increase accountabilities for public companies. Going forward, registrants should begin assessing existing cybersecurity and disclosure controls and procedures or work with cybersecurity and disclosure counsel to prepare and create new reporting and disclosure processes that will comply with these new rules.

The ever-changing regulatory landscape can be challenging to navigate. If you have questions about these new rules and the implications for your company or need counsel about achieving compliance, please contact a member of our Corporate team


[1] SEC Press Release 2023-139

[2] Id.

[3] Id.

[4] Demian Ahn, etc., “SEC Adopts Cybersecurity Disclosure Rules for Public Companies,” Wilson Sonsini, August 1, 2023, https://www.wsgr.com/en/insights/sec-adopts-cybersecurity-disclosure-rules-for-public-companies.html.

[5] Id.

[6] Charles D. Riley, etc., “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies,” Jenner & Block, August 3, 2023, https://www.jenner.com/en/news-insights/publications/sec-adopts-rules-on-cybersecurity-risk-management-strategy-governance-and-incident-disclosure-by-public-companies.

[7] Id.

[8] Rule 405 of the Securities Act of 1934; Rule 12b-2 of the Securities Exchange Act of 1934.

[9] Ahn, “SEC.”

[10] Id.

[11] Riley, “SEC.”

[12] Id.

[13] Id.

[14] SEC Press Release 2023-139.

Share:

Unlock the Power of Legal Solutions with Fortis Law Partners

Help us better understand your legal needs.

Relevant Industry & Services: