On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new rules specifying enhanced disclosure regarding cybersecurity risk management, strategy governance, and incident disclosure. The SEC first proposed new cybersecurity rules back in March 2022. The agency’s comments to the final rule suggest greater disclosure and improved consistency of disclosures will benefit investors. Several of the key aspects of the final rules are outlined below, and ultimately will probably be navigable for organizations with meaningful incident response and evaluation experience as well as robust risk management programs which already include and evaluate cybersecurity.

Material Cybersecurity Incidents

Registrants must file a Form 8-K disclosing any cybersecurity incident that is determined to be material within four business days of this determination. “Material” has the same meaning under existing securities laws and the threshold for disclosure does not change under the final rule. Specifically, to describe the material aspects of the incident, Item 1.05 on the Form 8-K will require registrants to describe the nature, scope, and timing of the cybersecurity incident, as well as the reasonably likely material impact on the registrant, including on its financial condition and results of operations.

The new rules require that registrants must amend a prior Item 1.05 disclosure if new information is discovered after the initial Form 8-K filing. The draft rules contained a more prescriptive approach which critics suggested could be confusing and unworkable in practice, especially in light of the need to make disclosure-related decisions frequently on limited and potentially inaccurate information. The final rule gives some breathing room by streamlining Item 1.05 to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself.

While the four-day period is a notable change from the current status quo, there are several provisions that may protect registrants from liability if disclosure is delayed beyond the four day window. First, there is an exception to immediate disclosure if the United States Attorney General determines it would pose a national security or public safety risk. Second, the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. Likewise, the SEC adopted as proposed amendments to Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. Still, the commentary accompanying the new rule makes clear that registrants must act without undue delay to determine whether a particular incident is material.

The new rules also require foreign private issuers to submit Form 6-k with information on material cybersecurity incidents that they disclose or publicize in a foreign jurisdiction to any stock exchange, or to security holders.

Cybersecurity Risk Management & Strategy Disclosures

Under the newly adopted Regulation S-K Item 106 in a registrant’s Form 10-K, registrants must describe their processes for the “assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.” This marks a notable change from proposed rules’ focus on the disclosure of “policies and procedures.” The change in approach may allow companies to implement policies that are more practical rather than performative.

Governance and Board Oversight Disclosures

Registrants must describe the board’s oversight of risks from cybersecurity threats as well as management’s role in assessing and managing material risks from cybersecurity threats and, if applicable, “identify any board committee or subcommittee responsible” for such oversight “and describe the processes by which the board or such committee is informed about such risks,” under Item 106(c) in a registrant’s Form 10-K. The Final Rule notes that they “have streamlined Item 106(c) to require disclosure that is less granular than proposed.” For that reason, the SEC explains that Item 407(h) and Item 106(c)(1) serve distinct purposes. Item 407(h) requires description of the board’s leadership structure and administration of risk oversight generally, and Item 106(c)(1) requires detail of the board’s oversight of specific cybersecurity risk. Moreover, under Item 106(c)(2) registrants must “[d]escribe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.”

Importantly, there is no requirement for a disclosure regarding whether an organization has a Chief Information Security Officer or whether any of its board members have a cybersecurity expertise. The draft rule had proposed similar requirements and the final rule appears to recognize that if, whether and when cybersecurity is a material risk to an individual registrant is something boards and management are likely in the best position to evaluate in the first instance. The final rule also reflects more closely the perspective advanced by the National Association of Corporate Directors and its defense of the business judgment rule.

Effective Date and Timing

The final rules will become effective 30 days following publication of the adopting release in the Federal Register. However, registrants and foreign private issuers will have a bit more time to prepare for the above risk management, strategy, and governance disclosures, which will be due beginning with annual reports for fiscal years ending on or after December 15, 2023, and for the cybersecurity incident disclosures, which will be effective beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. While smaller reporting companies are still required to comply with the requirements under the new rules, they will also have an additional 180 days before they must provide Form 8-K disclosures.

Guidance and Emerging Practices to Comply with the SEC’s New Rules and Related Risk Management

The new rules provide helpful quantitative and qualitative factors for companies to consider in making their materiality determinations, but they do not address the fact that, in practice, companies often make Form 8-K incident disclosures before they have all the information required to assess materiality.

These too-early disclosures are sometimes made in an effort to minimize consumer class action risks alleging that companies waited “too long” to disclose. While these lawsuits will undoubtedly continue to be filed, some commentators believe the presence of these additional disclosure requirements may lead to improved and enhanced focus on cybersecurity risk management and disclosure. Besides class action-related risks, registrants often feel it necessary, for commercial reasons, to disclose the occurrence of an incident to customers because of the potential of compromise to personal information (which may also trigger consumer or other state and federal regulatory notifications).

Ultimately, the appropriate cybersecurity measures may largely depend on the organization itself and the nature of the risks it faces, which ordinarily will vary from company to company and industry to industry. Under the SEC’s new rules, both prompt disclosure and precision will continue to be important in responding to incidents, with the new rules providing some helpful interpretive guidance to the SEC-related disclosure considerations and timelines.