TheCorporateCounsel.net

Yesterday, the SEC adopted, by a 3-2 vote, amendments to its rules that will require periodic disclosures regarding cybersecurity risk management, strategy and governance, as well as current disclosure on Form 8-K of material cybersecurity incidents.

Specifically, under the amendments, issuers will be required to:

• Disclose, on a current basis pursuant to new Item 1.05 of Form 8-K, any cybersecurity incident that an issuer experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) impact or reasonably likely impact;
• Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, the issuer’s processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition;
• Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, the board’s oversight of risks from cybersecurity threats; and
• Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, management’s role in assessing and managing material risks from cybersecurity threats.

Similar disclosure requirements will apply to foreign private issuers.

The final rules will be effective 30 days following publication of the adopting release in the Federal Register. With respect to the periodic disclosures required by Item 106 of Regulation S-K, all issuers must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the current disclosure requirements for material cybersecurity incidents required by Item 1.05 of Form 8-K, all issuers (other than smaller reporting companies) must begin complying 90 days after publication of the adopting release in the Federal Register or December 18, 2023, whichever is later. Smaller reporting companies have an additional 180 days from the non-smaller reporting company compliance date, so those issuers must begin complying with Item 1.05 of Form 8-K, on 270 days after publication of the adopting release in the Federal Register or June 15, 2024, whichever is later.

The SEC made several significant changes from the proposing release in response to comments. With respect to current reporting of cybersecurity incidents pursuant to Item 1.05 of Form 8-K, the SEC narrowed the scope of the disclosure, added a limited delay for disclosures that would pose a substantial risk to national security or public safety, required certain updated incident disclosure in an amended Form 8-K rather than in Forms 10-Q and 10-K and omitted the proposed aggregation of immaterial incidents for materiality analyses. The SEC also streamlined the proposed disclosure elements related to risk management, strategy and governance, and the SEC did not adopt the proposed requirement to disclose board cybersecurity expertise.

We have posted the adopting release in our “Cybersecurity/Privacy Rights/Security Breaches/Data Governance” Practice Area and we will be posting memos about the rule changes there as they come in, so be sure to check out this great resource.

– Dave Lynn