On July 26, 2023, the SEC adopted final new rules requiring disclosures for both domestic and foreign companies related to cybersecurity incidents, risk management, strategy and governance. The proposed rules were published in March 2022 (see HERE). In response to numerous comments, the final rules made several changes to the proposal, including narrowing the disclosures in both the Form 8-K/6-K and annual reports on Form 10-K and 20-F.
The final rules add new Item 1.05 to Form 8-K requiring disclosure of a material cybersecurity incident including the incident’s nature, scope, timing, and material impact or reasonably likely impact on the company. An Item 1.05 Form 8-K will be due within four business days following determination that a cybersecurity incident is material. Given the sensitive nature of cybersecurity crimes, the SEC has added a provision allowing an 8-K to be delayed if it is informed by the United States Attorney General, in writing, that immediate disclosure would pose a substantial risk to national security or public safety.
The new rules add Item 106 to Regulation S-K, requiring companies to make an annual disclosure in its Form 10-K, describing their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. Item 106 will also require companies to describe its board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
The final rules are effective September 5, 2023. The Form 10-K and 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning December 15, 2023, for all companies other than smaller reporting companies. Smaller reporting companies must comply with the Form 8-K requirements beginning June 15, 2024.
Annual disclosures on Form 10-K and Form 20-F must be tagged with inline XBRL beginning with reports for the fiscal years ending on or after December 15, 2024, and Form 8-K/6-K must be tagged beginning on December 18, 2024.
Background
Cybersecurity has been an important topic for years and will only continue to become more so as a significant and increasing amount of the world’s economic activity occurs through digital technology and electronic communications. Cyber-crimes on all levels from data breaches, ransomware, phishing, and data theft have become commonplace. Public companies of all sizes and operating in all industries are susceptible to cybersecurity incidents that can stem from intentional or unintentional acts.
Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information, or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyberattack can be in the form of unauthorized access or a blocking of authorized access.
The purpose of a cyberattack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”
When victim to a cyberattack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:
- Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
- Costs due to business interruption, decreases in production, and delays in product launches;
- Payments to meet ransom and other extortion demands;
- Increased cybersecurity protection costs to prevent future attacks and the potential damage it can cause. These costs could include organizational changes, employee training and engaging third-party experts and consultants;
- Lost revenues from unauthorized use of proprietary information and lost customers;
- Litigation and legal risks, including regulatory and private civil actions;
- Increased insurance premiums;
- Damage to the company’s competitiveness, stock price and long-term shareholder value; and
- Reputational damage.
There are currently no specific disclosure requirements in Regulation S-K or S-X that explicitly refer to cybersecurity risks or incidents; however, the SEC did issue guidance on disclosure in 2011 and again in 2018. For a detailed summary of the 2018 Interpretive Release, see HERE.
Clearly disclosure is important and, although I am not usually a proponent of increased regulation, the SEC’s new rules on cybersecurity disclosures, including through additions to Form 8-K/6-K, makes sense.
Form 8-K
New Item 1.05 to Form 8-K requires companies to disclose any cybersecurity incident they experience that is determined to be material. The disclosure must include: (i) the timing of the incident; (ii) the nature and scope of the incident; and (iii) whether the incident had a material impact or is likely to have material impact on the company’s financial condition and results of operations. Disclosure is required for any material incident that impacts a company, including where the actual incident occurred on a third-party system.
Materiality is determined as with any other SEC disclosure, to wit: information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” “Doubts as to the critical nature” of the relevant information should be “resolved in favor of those the statute is designed to protect,” namely investors (TSC Industries, Inc. v. Northway, Inc.).
Moreover, in the final release the SEC notes that “financial condition and results of operations” is not limited to quantitative factors. A company should also consider qualitative factors such as reputational harm, vendor relationships, competitiveness, and risks of lawsuits or regulatory actions.
In response to comments, instructions to Item 1.05 will specify that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
An Item 1.05 Form 8-K will be due within four business days following determination that a cybersecurity incident is material. To ensure that a company uses its best efforts to make a materiality determination (thus triggering the 8-K filing requirement) the instructions provide that materiality determinations “without unreasonable delay.” The company must amend a prior Item 1.05 8-K to disclose any additional information that was not unavailable at the time of the original filing but that is otherwise required in the Item 1.05 disclosure. The amendment must be filed within four business days of determining such new information or within such information becoming available.
Although an Item 1.05 Form 8-K will be filed (not furnished), the SEC will amend Form S-3 to clarify that an untimely Item 1.05 Form 8-K will not impact S-3 eligibility. Likewise, the SEC is amending Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
Given the sensitive nature of cybersecurity crimes, the SEC has added a provision allowing an 8-K to be delayed if the SEC is informed by the United States Attorney General, in writing, that immediate disclosure would pose a substantial risk to national security or public safety. The delay can be up to the time specified by the Attorney General or 30 days with the ability to extend for an additional 30 days at the written request of the Attorney General. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing. Further, a company may delay filing the Form 8-K up to seven business days following notification of the Secret Service and FBI pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC.
Form 6-K
Foreign private issuers must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
Form 10-K
The new rules add Item 106 to Regulation S-K, requiring companies to make an annual disclosure in its Form 10-K, describing their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. The final rule is toned down significantly in response to commenters’ concerns that the original proposed level of disclosure would provide an advantage to threat actors and increase a company’s vulnerability to attack.
Although the final rule will not contain a list of the types of cybersecurity risks a company could face and thus should consider implementing processes, the rule release notes that a company should consider intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.
Final Item 106(b) requires disclosure of: (i) whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes; (ii) whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and (iii) whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. The rule specifically states that this is a non-exclusive list and that companies should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.
Item 106(b) also requires disclosure of “[w]hether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”
Item 106 will also require companies to describe its board of directors’ oversight of risks from cybersecurity threats and, if applicable, any board committee or subcommittee responsible “for such oversight” and describe the processes by which the board or such committee is informed about such risks. The final rule is toned down considerably from the proposed rule, which would have required disclosure as to how the board integrates cybersecurity into its business strategy, risk management, and financial oversight as well as the board’s expertise in such matters.
Item 106 also requires disclosure of management’s role and expertise in assessing and managing material risks from cybersecurity threats. The final rules contains a non-exclusive list of examples of the types of information a company should disclose, including: (i) whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise; (ii) the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and (iii) whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Form 20-F
Foreign private issuers must: (i) describe the board’s oversight of risks from cybersecurity threats; and (ii) describe management’s role in assessing and managing material risks from cybersecurity threats.
Definitions
The final rule contains the following definitions:
“Cybersecurity incident” means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
“Cybersecurity threat” means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
“Information systems” means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
The Author
Laura Anthony, Esq.
Founding Partner
Anthony L.G., PLLC
A Corporate Law Firm
Securities attorney Laura Anthony and her experienced legal team provide ongoing corporate counsel to small and mid-size private companies, public companies as well as private companies going public on the Nasdaq, NYSE American or over-the-counter market, such as the OTCQB and OTCQX. For more than two decades Anthony L.G., PLLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker-dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions, securities token offerings and initial coin offerings, Regulation A/A+ offerings, as well as registration statements on Forms S-1, S-3, S-8 and merger registrations on Form S-4; compliance with the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers; applications to and compliance with the corporate governance requirements of securities exchanges including Nasdaq and NYSE American; general corporate; and general contract and business transactions. Ms. Anthony and her firm represent both target and acquiring companies in merger and acquisition transactions, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. The ALG legal team assists Pubcos in complying with the requirements of federal and state securities laws and SROs such as FINRA for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the small-cap and middle market’s top source for industry news, and the producer and host of LawCast.com, Corporate Finance in Focus. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.
Ms. Anthony is a member of various professional organizations including the Crowdfunding Professional Association (CfPA), Palm Beach County Bar Association, the Florida Bar Association, the American Bar Association and the ABA committees on Federal Securities Regulations and Private Equity and Venture Capital. She is a supporter of several community charities including the American Red Cross for Palm Beach and Martin Counties, Susan Komen Foundation, Opportunity, Inc., New Hope Charities, the Society of the Four Arts, the Norton Museum of Art, Palm Beach County Zoo Society, the Kravis Center for the Performing Arts and several others.
Ms. Anthony is an honors graduate from Florida State University College of Law and has been practicing law since 1993.
Contact Anthony L.G., PLLC. Inquiries of a technical nature are always encouraged.
Follow Anthony L.G., PLLC on Facebook, LinkedIn, YouTube, Pinterest and Twitter.
Anthony L.G., PLLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.
© Anthony L.G., PLLC