On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Final Rule") by a 3-2 vote along party lines. The Final Rule will require public companies to disclose "material" cybersecurity incidents within four business days from when a determination is made that the incident is material. The SEC's vote to approve the Final Rule yesterday came as a surprise to many because the Commission recently indicated that it was planning to issue the Final Rule, along with a host of other cybersecurity rules, in October 2023. We summarize the Final Rule below.
Disclosure of "Material" Cybersecurity Incidents Within Four Business Days
The SEC first proposed cybersecurity requirements for public companies in March 2022 (the "Proposed Rule"). Since that time, the Proposed Rule's requirement that companies disclose material cybersecurity incidents has garnered the most attention from commenters, other federal agencies and the public (we discussed the Proposed Rule, including the incident disclosure requirement in detail in a prior blog post). Like the Proposed Rule, the Final Rule requires public companies to disclose a material cybersecurity incident via Form 8-K (or Form 6-K for foreign private issuers) within four business days of determining that the cybersecurity incident is "material." Four business days is the standard deadline for disclosing information required on a Form 8-K. However, the Final Rule makes two important revisions to the disclosure obligation as compared to the Proposed Rule. The SEC says those changes are intended to address concerns raised in public comments about the deadline and scope for required disclosures.
First, the Final Rule limits the information required to be disclosed on Form 8-K about a material cybersecurity incident. Companies no longer are required to disclose certain detailed information about the incident and their response and containment activities, such as whether data was stolen and whether the company has remediated or is remediating the incident. Instead, the Final Rule focuses on the incident's impact to an affected company, requiring disclosure of the "material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations." According to the SEC, by requiring a more limited set of information to be disclosed, the Final Rule "better balance[s] investors' needs and registrants' cybersecurity posture."
Second, the Final Rule arguably provides companies with more time to determine whether a cybersecurity incident is material—and therefore whether a disclosure obligation is triggered. The Proposed Rule would have required companies to make a materiality determination "as soon as reasonably practicable." The Final Rule requires that the determination be made "without unreasonable delay." The SEC states that this revision is intended to provide companies sufficient notice that, "though the [materiality] determination need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure." In response to comments to the Proposed Rule that it may take companies a very long time to fully understand the nature and scope of a cybersecurity incident, the SEC emphasizes in the Final Rule that it may be clear that an incident is material well before the company's investigation is complete, such as when a company determines that its "crown jewels" data has been compromised.
Some commentors on the Proposed Rule asked the SEC to define "materiality" and to provide further guidance on determining the materiality of a cybersecurity incident. The SEC declined to do either and instead reiterated that a cybersecurity incident (like other risks or events a corporation might experience) is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available." This is the SEC's standard articulation of materiality based on case law and Commission guidance, including its 2018 "Statement and Guidance on Public Company Cybersecurity Disclosures" and 2011 guidance from the SEC's Division of Corporate Finance on disclosure of cybersecurity risks and incidents. The Final Rule states that the SEC "expect[s] that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces."
The SEC does advise in the Final Rule that public companies "should consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis." Moreover, because a materiality determination is fact-specific, what is material for one company may not be material for another. The SEC noted that when "the same incident [ ] affects multiple companies," it may not become reportable for each company at the same time, "and it may be reportable for some [companies] but not others." The Final Rule further states that materiality must be determined based on both quantitative and qualitative factors(i.e., reputation, customer relationships, etc.), which is consistent with the approach the SEC has taken in enforcement actions related to cyber disclosures (see, e.g. our blog post on the Pearson and First American enforcement actions) and the Commission's prior guidance.
Definition of a "Cybersecurity Incident"
The Final Rule defines a "Cybersecurity Incident" broadly as "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." While some commenters on the Proposed Rule expressed concern that the word "jeopardizes" is overly broad and would include incidents that do not actually cause harm, the SEC states in the Final Rule that the definition is appropriate because companies only are required to disclose incidents that they determine are material. Notably, the SEC's definition of a Cybersecurity Incident seemingly is broader than that under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which covers only incidents that "actually jeopardize" systems and data (see our discussion of CIRCIA here).
Limited Law Enforcement Delay
Numerous public comments on the Proposed Rules argued that companies could be forced to put themselves and others at risk by disclosing cybersecurity incidents before they had been contained. In an effort to address at least some of this concern, the SEC included in the Final Rule a provision allowing companies to delay disclosure of a material cybersecurity incident where the U.S. Attorney General determines that disclosure "poses a substantial risk to national security or public safety" and notifies the SEC of that determination. The Attorney General also "may take into consideration other Federal or other law enforcement agencies' findings" when deciding whether a disclosure poses the requisite "substantial risk" to security or safety.
Under the Final Rule, disclosure may be delayed for a time period specified by the Attorney General, but only up to 30 days. Disclosure may be extended for an additional 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety. A further 60-day delay in disclosure may be granted, but only "in extraordinary circumstances." Any disclosure beyond that final 60-day period must be approved by an exemptive order from the SEC.
The SEC states in the Final Rule that the Commission and the Department of Justice have worked "to establish an interagency communication process to allow for the Attorney General's determination to be communicated to the Commission in a timely manner." While that process may reduce some of the burdens on public companies seeking to delay disclosure, it is clear that the Final Rule's delay provision is narrowly drawn. Precisely how narrowly drawn it is will depend on how willing the Attorney General is to determine that an incident poses a substantial risk to national security or public safety. Law enforcement delays under state law, which may be granted simply where law enforcement advises that disclosure could jeopardize an ongoing investigation, are only granted in rare circumstances. It is likely that very few incidents will qualify for a delay under the Final Rule.
Delay Under CPNI Reporting Rule
The Final Rule contains an additional delay provision for telecommunications carriers required to report a breach of customer proprietary network information (CPNI) under the Federal Communications Commission's CPNI breach reporting rule. The CPNI breach reporting rule requires carriers to notify the Federal Bureau of Investigation (FBI) and U.S. Secret Service (USSS) of a CPNI breach within seven business days, and then to wait an additional seven business days before reporting the breach to affected individuals or disclosing it publicly. The Final Rule harmonizes the CPNI breach rule and SEC reporting requirements such that a carrier may wait seven business days after notifying the FBI and USSS of a CPNI breach before disclosing the breach on a Form 8-K (assuming the Final Rule's disclosure requirements have been met). The carrier must notify the SEC of its delay of disclosure on this basis within the standard four-business-day deadline for filing its Form 8-K.
Continued Updates on Cybersecurity Incidents
The Final Rule also changes how public companies are to provide updates on material cybersecurity incidents. The Proposed Rule would have required public companies to provide updates on a cybersecurity incident initially disclosed via Form 8-K on its quarterly 10-Q and annual 10-K. Under the Final Rule, however, companies are required only to amend their 8-K.
Additionally, the Final Rule eliminates a requirement from the Proposed Rule that companies disclose on their 10-Q and 10-K instances "when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate." In response to concerns that that requirement was too vague and difficult to apply, the Final Rule amends the definition of a "Cybersecurity Incident" to include "a series of related unauthorized occurrences."
Risk Management and Strategy Disclosures
The Final Rule requires public companies to provide on their annual Form 10-K (Form 20-F for foreign private registrants): a description of "the registrant's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes." In providing that description, the company should address information including (but not necessarily limited to):
- Whether and how any such processes have been integrated into the registrant's overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
Public companies must further provide on their 10-K a description of "whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how."
These requirements make three notable changes from the Proposed Rule. First, while the Final Rule generally trims the required disclosures as compared to the Proposed Rule, it expands them in a key way: it states that the specific required disclosures about the company's cyber risk management and strategy are non-exhaustive, meaning that companies may need to provide more information that may be relevant to a reasonable investor. The Proposed Rule only required companies to make the specific listed disclosures.
Second, the Final Rule makes clear that companies need only describe their processes for addressing material cybersecurity risks (the Proposed Rule required such information regarding cybersecurity risks generally) and whether previous risks or incidents have materially affected the company's cyber risk management and strategy (the Proposed Rule required description of how risks and incidents affected the company generally).
Third, the Final Rule eliminates the requirement to provide certain more detailed information, such as how the company responds to cybersecurity incidents and maintains business continuity. The SEC agreed with some comments that such information could be used by bad actors to target the company.
The Final Rule requires public companies to describe on their Form 10-K the role of both the board of directors and management in cybersecurity risk management. Specifically, companies must describe:
- "[T]he board of directors' oversight of risks from cybersecurity threats," and, "[i]f applicable … any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks"; and
- "[M]anagement's role in assessing and managing the registrant's material risks from cybersecurity threats," including (but not necessarily limited to):
- "Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors."
The Final Rule notably limits what companies must disclose about their boards of directors' involvement in cybersecurity as compared to the Proposed Rule. In particular, the Final Rule eliminates required descriptions of "whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight," the frequency of board discussions on cyber risks, and board's cybersecurity expertise. Various commentors on the Proposed Rule criticized these requirements as overly prescriptive of how a board of directors should oversee cybersecurity risk.
The Final Rule likewise trims requirements to describe management's role in cybersecurity risk management by making clear that companies need describe only management's role with respect to material risks (the Proposed Rule required description of management role in cyber risk management generally). At the same time, as with the required disclosures on a company's cyber risk management and strategy, the Final Rule states that the specifically required disclosures on management's role are non-exhaustive. Companies generally are required to disclose whatever would be needed for a reasonable investor to understand management's role in addressing material cyber risks.
Public companies with the exception of smaller reporting companies will need to begin complying with the SEC's new cybersecurity rules "on the later of 90 days after the date of publication in the Federal Register or December 18, 2023." Smaller reporting companies will need to begin complying "on the later of 270 days from the effective date of the rules or June 15, 2024."
 See, e.g., Basic Inc. v. Levinson, 485 U.S. 224, 236 (1988) ("[a]ny approach that designates a single fact or occurrence as always determinative of an inherently fact-specific finding such as materiality, must necessarily be overinclusive or underinclusive").