SEC Adopts New Rules on Cybersecurity Risks for Public Companies
By Alan S. Wernick, Esq., Aronberg Goldgehn
On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted final rules requiring registrants (i.e., businesses required to report to the SEC) to, among other things, promptly disclose material cybersecurity events and, annually, disclose material information concerning the registrant’s cybersecurity risk management, strategy, and governance. This article presents a brief, not exhaustive, overview of the SEC’s final rules on cybersecurity risks for public companies.
SEC Chair Gary Gensler, in a July 26, 2023, statement on public company cybersecurity disclosures, noted, “Increasingly, cybersecurity risks and incidents are a fact of modern life. When material incidents occur, they can have a range of consequences—including financial, operational, legal, or reputational.” He further noted “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors. … Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” (See SEC; Statement on Public Company Cybersecurity Disclosures.)
For the new Form 8-K Item 1.05 (“Material Cybersecurity Incidents”) registrants must disclose, within four (4) business days of determining an incident was material, any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its (i) nature, scope, and timing; and (ii) impact or reasonably likely impact. A registrant may delay filing as described in the Rules, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety. Registrants also must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. (See SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure; Final Rules.)
In addition:
- “New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
- “Form 6-K will be amended to require foreign private issuers to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.” (See SEC Fact Sheet; Public Company Cybersecurity Disclosures; Final Rules.)
The cybersecurity disclosures now included in the annual Form 10-K and Form 20-F will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication of the Final Rules in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
The bottom line for companies subject to the new SEC rules on cybersecurity risks for public companies is that they need to be aware of the requirements of the new rules, and their board of directors need to consider increasing their education about and awareness of cybersecurity risks to the business and to have substantive and meaningful discussions with all requisite parties concerning appropriate oversight of these cybersecurity risks. The cost of ignoring these new rules could be substantial.
© 2023 Alan S. Wernick and Aronberg Goldgehn.