New SEC Rule Expanding Cyber Security Related DisclosuresSecurities Attorneys (Exchange Act)
On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC”), to create uniformity across registrant disclosures and incident reporting, released final rules (the “Final Rule”) requiring registrants (subject to the reporting requirements of the Securities Exchange Act of 1934, as amended), including business development companies and foreign private issuers (“FPIs”), to report (a) cybersecurity incidents in a Form 8-K (or in a Form 6-K for foreign issuers), (b) their policies and procedures for assessing, identifying and managing cybersecurity threats in their annual Form 10-K (or in an annual Form 20-F for foreign issuers), and (c) present the cybersecurity disclosures in Inline eXtensible Business Reporting Language.
Form 8-K and New Item 1.05
Consistent with the SEC’s objective, the Final Rule amends Form 8-K to add a new Item 1.05 (“Item 1.05”), which will require registrants to promptly disclose material cybersecurity incidents.
The new Item 1.05 will require a registrant to describe the material aspects of a cybersecurity incident, including (a) the nature, scope, and timing of the incident; and (c) the impact or reasonably likely impact, including on the registrant’s financial condition and results of operations, of the incident.
The trigger event date will be the date that the registrant determines an incident was material, without unreasonable delay. The registrant will then have four days from the trigger event date to file the Current Report on Form 8-K.
Governance and Oversight
Currently, issuers are not subject to specific disclosure requirements relating to cybersecurity. The Final Rule will add a new Item 106 to Regulation S-K (Item 106(b) and Item 106(c)), which will require specific disclosures in a registrants Annual Report on Form 10-K (which may be incorporated by reference).
Item 106(b) will require a description of the registrant’s process for evaluating material cybersecurity risks which includes a description of the registrant’s policies and procedures for assessing, identifying and managing cybersecurity threats. The Final Rule provides the following non-exhaustive list of issues to consider:
- whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider;
- whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- whether and how any such processes have been integrated into the registrant’s overall risk management system or processes.
A registrant must also disclose whether any risks of cybersecurity threat (including those caused by previous cybersecurity incidents) have impacted its financial condition, results of operation or business strategy.
Item 106(c) will require a description of the role the board of directors and management perform in the registrant’s cybersecurity risk management. This includes describing how the board of directors oversee cybersecurity risks and how oversight is delegated to a committee of the board of directors.
The Final Rule emphasizes that management should focus on risks that are material to the registrant. Although Item 106(c) does not specify which risks are material, the Final Rule provides certain examples which includes intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.
Foreign Private Issuers
The Final Rule similarly amends the disclosure obligations for FPIs with Form 6-K largely mirroring the Form 8-K requirements and Form 20-F being amended to include Part II Item 16K in an FPI’s annual report, which is substantially similar to the reporting obligations of Item 106 described above.
With a short compliance timeline registrants should begin evaluating whether their current cybersecurity policies and procedures are sufficient.
The Final Rule will become effective 30 days after the date of publication in the Federal Register. Public companies must comply with the disclosure requirements in Item 106 beginning with the annual report on Form 10-K or 20-F, as applicable, for the fiscal year ending December 15, 2023, or later. Public companies must report cybersecurity incidents on Form 8-K or 6-K under Item 1.05 beginning on the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K or Form 6-K disclosure. With respect to compliance with the Inline XBRL requirements, registrants must tag disclosures required under the Final Rule in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement.
Please do not hesitate to contact me at firstname.lastname@example.org or (202) 869-0888 (ext. 115) if you need help evaluating your current cybersecurity risk management practices, developing a compliance timeline or evaluating whether your current cybersecurity policies and procedures are sufficient.