SEC Finalizes Cybersecurity Rules for Public Companies: What's New, What's Not, and What’s Next
On July 26, 2023, the Securities and Exchange Commission (“SEC”) voted to approve final rules governing cybersecurity disclosures of public companies (“Final Rules”). The Final Rules make meaningful changes to the current and periodic reporting process, and add additional—and time sensitive—steps to incident response, by requiring companies to disclose on:
New Item 1.05 of Form 8-K
- any material cybersecurity incidents within four business days after determining an incident is material (subject to a national security or public safety exception as determined by the US Attorney General)
New Item 106 to Regulation S-K
- a description of their processes (if any) for assessing, identifying and managing material cybersecurity risks,
- a discussion of whether previous cybersecurity incidents have materially affected or are reasonably likely to materially affect the registrant, and
- management’s role and expertise in assessing and managing cybersecurity risks.
Companies will be required to make disclosures about their cybersecurity governance, risk management, and strategy pursuant to New Item 106 to Regulation S-K within their annual reports on Form 10-K for fiscal years on or after December 15, 2023. Compliance with the Final Rules modifying Form 8-K Item 1.05 will be required beginning on December 18, 2023, or 90 days after the Final Rules are published in the Federal Register (whichever is later). Comparable disclosures by foreign private issuers are required on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity governance, risk management, and strategy.
Differences from the Proposed Rules
The Final Rules differ in significant ways from the Proposed Rules, which were released on March 9, 2022. The Final Rules are shorter, and certain parts of the Proposed Rule were not included in the Final Rules. The three main differences are as follows.
- First, the Proposed Rules would have required companies to disclose whether members of the board of directors had cybersecurity expertise, but the Final Rules omit that requirement, and instead focus on management’s expertise in managing cybersecurity risks.
- Second, the Proposed Rules would have required companies to provide updated disclosure about past incidents in periodic reporting in Forms 10-Q and 10-K. This proposal was not adopted in the Final Rules, which instead clarify that updated incident disclosure should be provided in a Form 8-K amendment.
- Third, in contrast to the Proposed Rules, which had no exceptions to the requirement to report material breaches within four business days of determining materiality, the Final Rules allow companies to delay disclosure if the U.S. Attorney General determines that the disclosure would pose a substantial risk to national security or public safety. If the Attorney General decides that a substantial risk to national security or public safety exists, then the company could delay disclosure for an initial 30 day period, which could be extended further by the Attorney General. Under the Final Rules, it is unclear how a company would contact the Attorney General and obtain such a decision within the four business day time period. We anticipate that the question of how to properly seek review and approval from the Attorney General will garner interest from many parties and we anticipate additional guidance might be forthcoming from the SEC on this point prior to the date on which companies must begin complying with the Final Rules.
Steps Public Companies Can Take to Prepare
As the Final Rules will take effect later this year, companies should begin taking steps to prepare for compliance with for the Final Rules. Public companies should review their current information security preparedness, paying special attention to their cybersecurity and information technology policies, including information security policies, incident response plans, disaster recovery plans, and business continuity plans. Furthermore, public companies should ensure that they have procedures in place to allow their team conducting investigations of potential breaches or cybersecurity incidents to timely convey the details of any such incidents to their team responsible for making public disclosures related to such incident, such as the legal or finance department. Ineffective internal communication could result in the SEC taking action for a company’s failure to update its public disclosures to address a data breach or other cybersecurity incident in a timely manner. We also recommend that companies inform their board or any committee of their board that is tasked with overseeing cybersecurity as well as SEC reporting matters as to this development, so that directors are apprised of the new requirement for time sensitive disclosures related to these cybersecurity incidents under Form 8-K as well as cybersecurity governance and oversight disclosures generally on Form 10-K, Form 6-K or Form 20-F, as applicable.
Effective cybersecurity risk management depends on employees from different departments collaborating across the business. Information security, accounting, and legal professionals are likely to all be involved in the incident response and disclosure process.
V&E is available to assist clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment and developing good cybersecurity governance and oversight structures to managing incident response and resulting litigation or regulatory inquiry.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.