Form 8-K Disclosure
The cybersecurity rules added a new Item 1.05 to Form 8-K, which triggers disclosures if a company experiences a cybersecurity incident that the company determines to be material. The Form 8-K disclosures must describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact on the company, including its financial condition and results of operations. An affected company must make a materiality determination “without unreasonable delay after discovery.” The Form 8-K itself is then due within four business days after the company determines that a cybersecurity incident is material.
To the extent that any required information is not determined or is unavailable at the time of the Form 8-K filing, companies will be required to amend the Form 8-K to disclose the additional information without unreasonable delay after the company determines such information or such information becomes available. The rules permit delayed disclosure in cases in which the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety. It is expected that this exception will apply in only very limited circumstances.
All companies other than smaller reporting companies must begin complying with these requirements on December 18, 2023. Smaller reporting companies must begin complying on June 15, 2024.
Form 10-K Disclosure
The cybersecurity rules also added a new Item 106 to Regulation S-K, which will generally require annual disclosure on a company’s Form 10-K, under a new “Item 1C. Cybersecurity” of Part I, on the following topics:
- Risk Management and Strategy. Companies must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats; and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
- Governance. Companies must also describe their board of directors’ oversight of risks from cybersecurity threats, as well as management’s role in assessing and managing material risks from cybersecurity threats.
Key Takeaways and Next Steps
- The materiality standard that companies should apply is consistent with current interpretations applicable to other significant events. That is, information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.
- Companies should begin considering the disclosures that will be required in their next Form 10-K. In preparation for compliance with the materiality determination trigger of the new Form 8-K deadline, companies should also consider whether any refinement of disclosure controls and procedures is needed to address potential cyber incidents and assess their materiality.
- Companies should also consider their cybersecurity incident-response plans and whether to incorporate the materiality assessment and potential Form 8-K filing into such plans. Companies should also evaluate and assess their board of directors’ and management’s existing oversight of risk from cybersecurity threats, and continue to consider their board’s cybersecurity expertise.