SEC Rules Impose New Four-Day Reporting Requirements for Cybersecurity Incidents
The Securities and Exchange Commission (“SEC”) voted on July 26, 2023 to adopt new cybersecurity rules, which are aimed at helping investors better understand the cybersecurity risks associated with public companies by requiring those companies to make public disclosures about cybersecurity incidents and cybersecurity risks. Importantly, the rules as drafted mandate publicly traded companies to notify the SEC of a cyberattack within four days of identifying that a cybersecurity incident has caused a material impact. The SEC initially proposed the rule in March 2022, with the final comment period closing in April 2023. The final rule was adopted by a divided SEC (3-2) this week.
Disclosure of Cybersecurity Incidents
The rules define a “material” cybersecurity incident as an incident that is likely to have a significant impact on the company’s business, financial condition, or operations. Under this SEC standard, material cybersecurity incidents must be disclosed within four business days of a determination that the incident is material (though the disclosure deadline can be delayed as necessary for disclosures the U.S. Attorney General determines would pose a risk to national security or public safety).
Registrants must disclose the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.
With the short, four-day disclosure timeline, the goal is for investors to be given a timely opportunity to reevaluate investment decisions based on the risks presented by a cybersecurity incident.
These disclosures will be required on a company’s Form 8-K beginning either 90 days after the rule's publication in the Federal Register or on December 18, 2023, whichever is later. Note, however, that smaller companies will have an extra 180 days before they are required to make these disclosures. The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents.
Disclosure of Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
The rules also require registrants to describe the processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.
Registrants must also describe the board’s oversight of risks from cybersecurity threats, identify any board committee or subcommittee responsible for such oversight, and describe the processes by which the board or such committee is informed about such risks.
These disclosures will be required annually on Form 10-K covering fiscal years ending on or after December 15, 2023. The rules require comparable disclosures by foreign private issuers on Form 20-F for cybersecurity risk management, strategy, and governance.
While digesting the new rule, companies should consider the following takeaways:
- Even the most technically sophisticated information security team will find it difficult to collect sufficient evidence to provide definitive notice of cybersecurity events in only four days. Companies should be prepared for continued “Monday-morning-quarterbacking” from regulators regarding good faith incident responses.
- The best way to improve incident response (and meet a four-day reporting period) is to develop a comprehensive incident response policy and routinely test the policy via tabletop exercises and adapt the policy to evolving conditions.
- Incident response policies should be updated to include a “materiality” analysis, four-day SEC reporting deadline, documentation obligations (for subsequent reporting), and subsequent 8-K and 10-K reporting.
- Disclosure requirements include describing board oversight and management’s role in assessing and managing material risks. Companies should be prepared to disclose low cybersecurity investment and siloed responsibilities to limit management representatives.
- Companies should consider how to appropriately educate board members and investors on ongoing cybersecurity initiatives without compromising confidentiality or company trade secrets.
- Companies that fail to timely notify the SEC on breach events may face SEC regulatory enforcement scrutiny, such as investigations or potentially fines to the extent the failure to report may be deemed as misleading to investors.
- While the rule targets public companies, private companies may consider similarly evaluating their incident response programs as industry trends (and often contracts) are moving to shorter notice periods.
For guidance and advice on implementing changes to your incident response program in light of this SEC rule or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or: