A significant and increasing amount of economic activity requires digital technology and electronic communications. Cybersecurity risks and incidents can impact the financial performance or position of a company and are a major focus for investors who desire information on how companies manage it.
To address the demand by investors regarding registrants’ cybersecurity risk management, strategy, and governance practices, the SEC issued final rule 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
There are no current disclosure requirements in Regulations S-K or S-X that explicitly refer to cybersecurity risks or incidents. The SEC staff observed cybersecurity risks are most often disclosed in the risk factor section of a domestic registrant’s annual report on Form 10-K.
It may be difficult for investors to locate, interpret, and analyze the information provided as the disclosures sometimes blend with other unrelated disclosures.
The requirements are intended to enhance and standardize annual disclosures regarding cybersecurity risk management, strategy, and governance, and of cybersecurity incidents.
The final rules add a requirement to report material cybersecurity incidents on Form 8-K.
Risk Management, Strategy and Governance
The final rules require annual disclosures on Form 10-K regarding cybersecurity risk management, strategy, and governance.
The rules amend Form 10-K specifically by adding Item 106(b) to Regulation S-K to require a registrant to describe any processes for the assessment, identification, and management of material cybersecurity risks in sufficient detail for a reasonable investor to understand those processes, including whether:
- Described cybersecurity processes are integrated into the registrant’s overall risk management system or processes
- Registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes
- Registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider
Item 106(b) also requires a registrant to describe whether and how any cybersecurity threats, including previous cybersecurity incidents, have materially impacted or are reasonably likely to materially impact its business strategy, results of operations, or financial condition.
New Item 106(c) to Regulation S-K amends Form 10-K by requiring a registrant to describe the board’s leadership structure and administration of risk oversight, including the following information:
- Describe board’s oversight of cybersecurity risk
- Identify any board committee or subcommittee responsible for such oversight
- Describe the processes by which the board or committee is informed about such risks
Item 106(c) also requires a registrant to describe management roles in assessing and managing material cybersecurity risks, including:
- Management positions or committees responsible for assessing and managing such risks, and relevant expertise of such persons or members in enough detail to fully describe the nature of the expertise
- Processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents
- Whether such persons or committees report information about such risks to the board of directors, committee, or subcommittee of the board of directors
Material Cybersecurity Incidents
The final rules add new Form 8-K Item 1.05 to require disclosure of information about a material cybersecurity incident within four business days of determining the incident is material. Registrants are required to make materiality determinations without unreasonable delay after the discovery of the incident.
Cybersecurity incident is to be a broadly applied term that includes a series of related unauthorized occurrences—meaning Item 1.05 may be triggered when there are multiple instances related to each other, compounded over time, and resulting in a material impact when considered as a series—even if some of the events wouldn’t be considered material if otherwise unrelated and not in a series.
To the extent possible, the following information is required to be disclosed under Item 1.05(a):
- Description of the basic identifying details, including the material aspects of the nature, scope, and timing of the cybersecurity incident
- Material impact or reasonably likely material impact on the registrant’s financial condition and results of operations
A registrant isn’t required to disclose specific or technical information about its planned response to the cybersecurity incident if such detail would impede the registrant’s response or remediation.
In limited circumstances, the filing of Form 8-K Item 1.05, as described above, may be delayed if the attorney general determines and provides notification in writing to the SEC that such immediate disclosure would pose a substantial risk to national security or public safety.
Instruction 2 to Item 1.05 of Form 8-K requires registrants to identify any required information under Item 1.05(a) that wasn’t determined or was unavailable at the time of the initial Form 8-K filing. A registrant is required to file an amendment to its Form 8-K within four business days after such required information becomes available.
Risk Management, Strategy, and Governance
All registrants are required to provide the risk management, strategy, and governance disclosures, as required by Item 106 of Regulation S-K, beginning with annual reports for fiscal years ending on or after December 15, 2023.
Material Cybersecurity Incident Disclosures
All registrants other than smaller reporting companies must comply with Item 1.05 of Form 8-K on December 18, 2023.
Smaller reporting companies will have an additional 180 days and are required to comply with Item 1.05 of Form 8-K on June 15, 2024.
We’re Here to Help
For more information on how the final SEC rules regarding cybersecurity may affect your business, contact your Moss Adams professional.