Alert
07.28.23
On July 26, the U.S. Securities and Exchange Commission (SEC) adopted Final Rules that require public companies (registrants) and foreign private issuers to disclose material cybersecurity incidents promptly and to make periodic disclosures of their cybersecurity risk management, strategy and governance in annual reports. As we previously noted, the Final Rules add powerful arrows in the quivers of SEC Chair Gary Gensler and the SEC’s Enforcement Division to regulate cybersecurity as part of its mission of maintaining orderly markets. With their adoption, the Final Rules further bolster the SEC’s attempts to serve as the “cyber cop” on the Wall Street beat.
The Final Rules will take effect 30 days after the SEC’s adopting release is published in the Federal Register. All registrants must comply with the new requirement to provide annual disclosures beginning with annual reports for the fiscal years ending on or after December 15, 2023. Additionally, all registrants (other than smaller reporting companies) will be required to disclose material cybersecurity incidents in Form 8-K or in Form 6-K by December 18, 2023. Smaller reporting companies have until June 15, 2024, to comply with this requirement.
The Final Rules in a Nutshell
The Final Rules (accessible here and summarized in the SEC’s accompanying fact sheet) largely track the proposed rules that the SEC had put forward in March 2022, but contain important changes in response to comments that the SEC has received. Many commentators will view these changes as surprising, as market participants generally believed that Chair Gensler would be reluctant to alter the SEC’s original substantive proposal. In general terms, the Final Rules require registrants to:
If the U.S. Attorney General determines that “immediate disclosure” of a cybersecurity incident would “pose a substantial risk to national security or public safety,” however, disclosure may be delayed. The Final Rules contemplate successive delay periods lasting 30 or 60 days, depending on whether circumstances pose a continued substantial risk to national security or public safety. Additional delays beyond those periods may be granted only by exemptive order of the SEC if, for example, malicious actors would benefit by learning that their activities had been discovered. It is unclear at this time, however, what criteria the U.S. Attorney General will use when determining whether a “substantial risk to national security or public safety” exists, much less whether such risk is sufficient to request any delay. Accordingly, it is premature to assume that the national security/public safety exception will be readily available.
The Final Rules also impact foreign private issuers, who will be required to provide information on “material cybersecurity incidents” that they “make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders” in amended Form 6-K. Furthermore, under amended Form 20-F, foreign private issuers will be required to make “periodic disclosure comparable to that required” in new Item 106.
Notably, the Final Rules do not include—as the SEC had originally proposed—a requirement that registrants disclose “the incident’s remediation status, whether it is ongoing, and whether data were compromised.”
Preparing for Compliance with the Final Rules
In the coming weeks and months, companies must prepare for the new disclosure requirements mandated by the Final Rules. Preparations should include assessing the adequacy of existing security protocols as well as disclosure controls and procedures designed to ensure that material cyber matters are elevated within the company. Companies must be prepared to make prompt disclosures to investors if they experience a material cybersecurity incident.
Management should, for example, bring its understanding of cyber risks up to date, so that determinations about the materiality of a cybersecurity incident can be made in a timely manner. Management’s familiarity with cyber risks will not only aid in the determination of whether a specific incident has a material impact, but also help to ensure that proper disclosure is made within the required timeframe of four business days after the materiality determination. The SEC considers the four-day disclosure timing to be “workable” because it expects companies to “have the information required to be disclosed” under the Final Rules “as part of conducting [their] materiality determination[s].” Companies should, therefore, include consideration of the financial impact of a cybersecurity incident as part of their materiality analyses, so that information about an incident’s impact on financial conditions and results of operations is ready when the disclosure requirement is triggered.
Further practical steps to prepare for compliance with the Final Rules will be prudent, as we discussed here. Among other things, companies should streamline their internal reporting processes when a cybersecurity incident is identified, so that information gathered about an incident—especially as it is being investigated—is channeled accurately and efficiently to management. Although the Final Rules do not separately create or otherwise affect a registrant’s duty to update its prior disclosures of a cybersecurity incident, the SEC expects registrants to satisfy their duties to correct prior disclosure that the registrant determines was untrue or omitted a material fact necessary to make the disclosure not misleading at the time it was made, and to update disclosures that become materially inaccurate after they are made. Companies should, therefore, revisit their cybersecurity incident reporting policies to strengthen their ability to refresh previous disclosure in the light of new information that is collected during an ongoing investigation.
It is also vital that a company’s board, and any board committee responsible for cybersecurity and SEC reporting oversight, is involved in the process to prepare for compliance with the new rules. The Final Rules require periodic disclosure of “board of directors’ oversight of risks from cybersecurity threats,” so it is critical that directors have, as we have previously noted, an appropriate understanding of cyber risks. Additionally, designating a chief information security officer within the governance structure of the board will further benefit the board’s ability to take appropriate action in the light of the Final Rules’ disclosure requirements. For these reasons, we recommend that directors be alerted to the SEC’s new disclosure requirements, so that timely disclosure of material incidents can be made on Form 8-K, and cybersecurity governance and oversight disclosures can be made in the company’s periodic SEC reporting.
Moreover, as discussed above, companies should not count on their ability to obtain government permission to delay disclosure of a cybersecurity incident on national security or public safety grounds. The SEC’s explanation of its Final Rules emphasizes that an appropriate balance must be struck between security concerns and investors’ needs for prompt disclosure. If disclosure causes significant risks of harm, delay is likely warranted. Conversely, absent substantial risk to national security or public safety, companies will be required to make prompt disclosures.
The SEC’s long-awaited cyber-regulatory overhaul is here. Now, more than ever, public companies should bring their cybersecurity policies, procedures and controls into line with the SEC’s expectations so that registrants satisfy their disclosure obligations (among other obligations) under the Final Rules.
Pillsbury’s Cybersecurity Capabilities
Pillsbury’s multidisciplinary team of cybersecurity and securities lawyers provides clients with strategic counseling to boards, financial institutions, management teams and various regulated entities on a broad range of cybersecurity and securities-related issues and strategies in light of SEC rulemaking. To reach a member of the team with questions or concerns, please contact any author of this alert.