The digitization of our economy has streamlined company operations but has brought with it persistent, ongoing cyberattacks. Successful attacks disrupt business operations, are costly to remediate, and can compromise confidential and personal information—including client and employee information. These compromises can significantly impact revenue and trust in the company and often result in stock prices dropping. While publicly traded companies typically report incidents to investors, reporting is not always consistent or is buried in quarterly reports made well after the fact.[1]
Effective as of September 5, 2023, the Securities and Exchange Commission (SEC) has finalized its proposed rule requiring publicly traded companies to promptly report “material” cybersecurity incidents and report annually on cybersecurity risk management and governance. This Rule addresses the need for disclosure of data incidents and preparedness to better inform investors with timely and reliable information.
I. Form 8-K Item 1.05: Cybersecurity Incident Reporting
The Final Rule is for the benefit of investors and focuses on streamlining and standardizing disclosures regarding data incidents and cybersecurity risk management, strategy, and governance.[2] New Form 8-K Item 1.05 requires companies to determine whether a cybersecurity incident is material without unreasonable delay after discovery of the incident. So long as a company does not intentionally delay a materiality determination to avoid timely disclosure, it will not likely be found to be in violation of the Rule. Once a company determines that the incident is material, it has 4 days within which it must disclose the incident, including a description of the nature, scope, and timing of the incident and material impact or reasonably likely impact of the incident.[3] Registrants are not required to disclose the remediation status of the incident, technical information about planned responses, or whether data was compromised. To evaluate materiality, registrants should consider qualitative factors such as harm to company’s reputation, customer or vendor relationships, competitiveness, and potential for litigation or regulatory investigations. Cybersecurity incidents comprise “unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
II. Regulation S-K Item 106: Annual Reporting on Cybersecurity Risk Management, Strategy, and Governance
Registrants much also now disclose in their annual reporting their risk management practices, strategy, and governance. New S-K Item 106 requires companies to describe their processes, if any, for dealing with material risks from cybersecurity threats in enough detail that a reasonable investor would be able to understand it. Ideally, these disclosures will provide investors with material information to better inform their investment decisions, while avoiding the potential issue of a company’s being forced to disclose sensitive information that might further compromise the company’s security.[4] Item 106 reports must also include a description of the company’s governance structure and policies pertaining to cybersecurity and data protection, including which management positions are responsible for assessing and managing the risks, the expertise of the people in those positions, how those persons monitor security and compliance, and whether the risks are reported to the board of directors. The SEC also amended Form 20-F and Form 6-K to require similar disclosures in foreign private issuers’ annual reports.
A. Risk Management Disclosures
Proper compliance with the risk management practices disclosures entails disclosing information that would be material to the investment decisions of potential investors. These disclosures do not need to be so detailed that they would compromise the security of the company providing the disclosures. Indeed, in direct response to commenters’ concerns about the security risk presented from these disclosures, the SEC amended the Final Rule to appropriately account for the potential security vulnerability created by a detailed description of risk management practices or strategy by only requiring disclosure of “processes” instead of “policies and procedures”. Other deletions from the Rule as proposed include removal of the list of risk types (e.g., intellectual property theft, fraud, etc.) and removal of certain disclosure items, include the entity’s activities undertaken to prevent, detect, and minimize the effects of cybersecurity incidents and the business continuity and recovery plans in the event of a data incident.
B. Governance Disclosures
In compliance with S-K Item 106, registrants must also disclose governance of their cybersecurity policies, ideally identifying the management positions or committee responsible for managing cybersecurity risks and detailing the extent and nature of their expertise. Expertise can include prior work experience in cybersecurity, any relevant degrees or certifications, or any knowledge, skills, or other background in cybersecurity. The disclosure should further detail how the manager or committee is informed about cybersecurity threats or incidents and how they prevent, detect, mitigate, and remediate these incidents. Lastly, the company should disclose whether reports by either management or a committee are submitted to the board of directors or a subcommittee of the board. Having dedicated employees in management positions or having a committee whose primary responsibility is cybersecurity will become increasingly important to investors, who will likely exercise increasing scrutiny of such measures.
C. Compliance Considerations
Regulation S-K Item 106 and Form 20-F disclosures begin with annual reports for fiscal years ending on or after December 15, 2023. Form 8-K Item 1.05 cybersecurity incident disclosures must be compliant by the later of ninety (90) days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies have an additional 180 days and must begin complying with Form 8-K 1.05 by the later of 270 days from the effective date of the rules or June 15, 2024. While each company will have its own individual considerations, here are some general recommendations to prepare for compliance and additional reporting:
- Review and update the cyber incident response plan. Every company should have a cyber incident response plan that lays out how the company will respond to a suspected or confirmed data incident, the persons responsible for the incident response, and associated documentation procedures. Companies should update their plans to incorporate the new Form 8-K reporting requirements, including establishing a framework for evaluating materiality to ensure prompt reporting. Considering that very limited circumstances allow for notification delay, companies should presume they will not be granted an extension unless they regularly interact with agencies of the U.S. government responsible for national security. Once the policies and procedures are updated, companies should promptly train the appropriate employees on the new process.
- Review and, if needed, update third party contract terms to include incident disclosure requirements. Cyber incidents often originate from a company’s vendor that has access to the company networks or the company’s data. The Rule requires disclosure of cyber incidents, regardless of where they originate. Companies should ensure that vendors with access to their data or networks are bound by clear, prompt incident notification requirements.
- Assess possible updates to board assignments and committee responsibility. The SEC rules make clear that management of cybersecurity considerations just be a specifically designated job, and not an afterthought. Public companies should clearly assign cybersecurity oversight responsibilities, which may require updating committee assignments and charters.
- Prepare the new disclosures for the company’s annual report. In addition to preparing to report on the company’s cybersecurity risk management, governance, and strategy, now is an excellent time to evaluate the effectiveness of the company’s overall cybersecurity posture and whether any gaps exist. The Rule clearly identifies that the person responsible for the cybersecurity oversight should be qualified with appropriate training or experience. If the company presently does not have someone with the appropriate qualifications, the company should consider hiring additional support or supporting a current employee’s training or certification.
While this Final Rule from the SEC will create new challenges for companies, it is worth emphasizing that the disclosure of this information to investors is not only imperative in the present moment but will become increasingly significant in the future. Cybercrime is proliferating, with professional groups organizing attacks on high level business at an ever-increasing rate. How well a company is equipped to deal with cybersecurity threats, and how well it addresses incidents that occur, is something investors will consider more and more as our reliance on technology to function grows. The Final Rule ensures that investors will become more effective in their ability to understand how prepared a company is for these events in the present and future.
[1] Special thanks to Christopher Malon, South Texas College of Law Class of 2025, for his assistance in researching and drafting this article.
[2] Securities and Exchange Commission, “Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf).
[3] Securities and Exchange Commission, “FACT SHEET: Public Company Cybersecurity Disclosures; Final Rules”, (available at https://www.sec.gov/files/33-11216-fact-sheet.pdf). In situations where disclosure would pose a substantial risk to national security or public safety, the SEC allows delaying disclosure if the Attorney General determines that the disclosure would indeed pose such a risk. This delay may be extended by the Attorney General so long as the risk to national security or public safety remains.
[4] See id. at 61 (noting that the revised formulation from the proposed amendment helps avoid levels of detail that would go beyond what was relevant to investors and addresses commenters concerns about details that would make companies vulnerable to cyberattacks).