SEC Adopts Final Rules to Enhance Cybersecurity Disclosure
Jul 31 2023
Listen to a summary in our player here, or continue reading below.
On July 26, 2023, the SEC adopted new rules1 to enhance and standardize disclosures pertaining to cybersecurity risk management, strategy, governance, and material cybersecurity incidents.
The SEC's decision to introduce these amendments follows prior interpretive guidance issued in 20112 and 20183 on the application of existing disclosure requirements to cybersecurity risks and incidents. Despite improvements in cybersecurity-related disclosures, the SEC observed inconsistency in reporting practices. The objective of the new rules is to achieve uniform, comparable, and decision-useful disclosures that empower investors to make well-informed evaluations of a company's cybersecurity posture.
Under this new Item of Form 8-K, public companies must disclose any cybersecurity incident they determine to be material. This disclosure must address the nature, scope, and timing of the incident, as well as its material impact or the reasonably likely material impact on the company, particularly its financial condition and results of operations. Companies must file the Form 8-K within four business days after making the determination of materiality, which determination must be made by the company without unreasonable delay. Notable changes from the proposed rule include the following:
Under the new rule, companies must describe their processes for assessing, identifying, and managing material risks arising from cybersecurity threats. In providing this disclosure, companies should address, as applicable:
Companies must also disclose whether any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, and if so, how. The new rule also requires companies to disclose the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing a company’s material risks from cybersecurity threats. Notable changes from the proposed rule include the following:
The final rules will take effect thirty (30) days after publication in the Federal Register. Compliance deadlines for different disclosure requirements noted above are as follows:
Form 8-K Item 1.05: Companies other than smaller reporting companies must comply on the later of 90 days after publication in the Federal Register or December 18, 2023. Smaller reporting companies must comply beginning on the later of 270 days from the effective date of the rules or June 15, 2024.
Regulation S-K Item 106: All companies must provide the required disclosures in their annual reports for fiscal years ending on or after December 15, 2023.
Companies must tag disclosures required under the final rules in Inline XBRL starting one year after initial compliance with the related disclosure requirement.
In advance of the new disclosure requirements, public companies should review and update their disclosure controls and procedures to prepare for the new incident reporting requirements, and prepare draft disclosures of their cybersecurity risk management and strategy to review and align with internal departments and external advisors.
If you have any questions, please contact members of our Data Security Team and Public Company Advisors Team who authored this alert or the Womble Bond Dickinson attorney with whom you usually work.
1 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Final Rule at https://www.sec.gov/rules/final/2023/33-11216.pdf (July 26, 2023)
2 See CF Disclosure Guidance: Topic No. 2 at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (October 13, 2011)
3 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures at https://www.sec.gov/rules/interp/2018/33-10459.pdf (February 26, 2018)