On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted cybersecurity rules requiring public companies to disclose:
- material cybersecurity incidents they experience on a current report on Form 8-K generally within four business days after the company determines the incident is material; and
- material information regarding their cybersecurity risk management, strategy, and governance in their annual report on Form 10-K each year.
Effective Date: The new Form 10-K disclosures will be required beginning with annual reports for fiscal years ending on or after December 15, 2023. Accordingly, companies with a calendar-year end will need to include the applicable disclosures in their upcoming Form 10-K for the year ending December 31, 2023. The new Form 8-K disclosures will be required beginning December 18, 2023, with some relief for smaller reporting companies, as discussed below.
Form 8-K Disclosure
The cybersecurity rules added a new Item 1.05 of Form 8-K, which triggers disclosures if a company experiences a cybersecurity incident that the company determines to be material. The Form 8-K disclosure must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations. An affected company must make a materiality determination “without unreasonable delay after discovery.” The Form 8-K itself is then due within four business days after the company determines that a cybersecurity incident is material. To the extent any required information is not determined or is unavailable at the time of the Form 8-K filing, companies will be required to amend the Form 8-K to disclose the additional information after, without unreasonable delay, the company determines such information, or such information becomes available. The rules permit delayed disclosure in cases in which the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. It is expected that this exception will apply in only very limited circumstances.
All companies other than smaller reporting companies must begin complying with these requirements on December 18, 2023. Smaller reporting companies must begin complying on June 15, 2024.
Form 10-K Disclosure
The cybersecurity rules also added a new Item 106 of Regulation S-K, which will generally require annual disclosure in a company’s Form 10-K under a new Item 1C. “Cybersecurity” of Part I, on the following topics:
- Risk management and strategy: Companies must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
- Governance: Companies must also describe their board of directors’ oversight of risks from cybersecurity threats, as well as management’s role in assessing and managing material risks from cybersecurity threats.
Key Takeaways and Next Steps
The materiality standard companies should apply is consistent with current interpretations applicable to other significant events. That is, information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.
Companies should begin considering the disclosures that will be required in their next Form 10-K. In preparation for compliance with the materiality determination trigger of the new Form 8-K deadline, companies should also consider whether any refinement of disclosure controls and procedures is needed to address potential cyber incidents and assess their materiality. Companies should also consider their cybersecurity incident response plans and whether to incorporate the materiality assessment and potential Form 8-K filing into such plans. Companies should also evaluate and assess their board of directors’ and management’s existing oversight of risk from cybersecurity threats, and continue to consider their board’s cybersecurity expertise.
If you have any questions on the amendments, please contact a member of Godfrey & Kahn’s Corporate practice.