While the SEC’s adoption of cybersecurity disclosure requirements last month was a long time in the making, that actual adoption of the rules and the relatively short compliance deadlines seems to have prompted some level of panic at public companies. Based on how the final rules came out, I hope to offer some reassuring words that your path to compliance with these requirements can build on your pre-existing efforts rather than recreating the wheel. To that end, I ask and answer some of the questions that have been emerging about the new rules. Please read them and take a few deep breaths.
Do I need to create new disclosure controls for Item 1.05 of Form 8-K?
Companies will be required to disclose, within four business days after determining that an incident is material pursuant to new Item 1.05 of Form 8-K (subject to limited exceptions), any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations.
The disclosure controls necessary to escalate cybersecurity incidents and evaluate whether they are material and must be disclosed should already be in place at public companies. The SEC’s 2018 interpretive release strongly encouraged the filing of a Form 8-K when a cybersecurity incident is determined to be material, and subsequent SEC enforcement cases focused on the timing of current disclosure about cybersecurity incidents and the disclosure controls that were in place to facilitate that disclosure. As a result of these developments, companies have implemented procedures to identify cybersecurity incidents, escalate them to management, and have management evaluate the materiality of those incidents to determine whether they must be disclosed. Item 1.05 of Form 8-K now formalizes the Form 8-K filing requirements and assigns a four-business-day deadline to the disclosure obligation.
For foreign private issuers, not much has changed in terms of the current disclosure framework. The SEC did amend General Instruction B of Form 6-K to reference material cybersecurity incidents in the list items that may trigger a current report on Form 6-K. The SEC notes in the adopting release that, “for a cybersecurity incident to trigger a disclosure obligation on Form 6-K, the registrant must determine that the incident is material, in addition to meeting the other criteria for required submission of the Form.”
The new disclosure obligation may require some fine tuning to pre-existing disclosure controls and procedures to reflect the disclosures that must be provided in response to the new Form 8-K item, as well as the process for tracking whether the Item 1.05 Form 8-K must be amended to reflect information that is not determined or is unavailable at the time of the required initial filing. Further, companies will need to assess whether the controls will facilitate a Form 8-K filing within four business days of determining that the incident is material.
Spoiler alert: In the vast majority of cybersecurity incidents that I deal with in my practice, it is ultimately concluded that the cybersecurity incident is not material under established standards for evaluating materiality. As a result, I do not expect to see a flood of Item 1.05 Form 8-Ks streaming into the SEC after the December 18, 2023 compliance date.
Should my approach to determining whether a cybersecurity incident is material change?
The approach to materiality is the same as it has always been. The SEC did not adopt any bright lines to be applied in determining whether an incident is material and therefore must be disclosed under new Item 1.05 of Form 8-K, leaving it to us to apply established standards of materiality. Consistent with past pronouncements, the Commission has indicated that the materiality standard that companies should apply in evaluating whether a Form 8-K would be triggered under Item 1.05 would be consistent with the caselaw standards that we are familiar applying in this context.
For the purpose of evaluating whether a Form 8-K is required to be filed pursuant to Item 1.05 of Form 8-K, information about a cybersecurity incident is considered “material” if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would have been viewed by the reasonable investor as having significantly altered the “total mix” of information made available to the investor. As part of a materiality analysis, the company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity. No single fact or occurrence is determinative as to materiality, which requires an inherently fact-specific inquiry.
I advise that it is best to create your framework for evaluating the materiality of cybersecurity incidents ahead of time, and test that framework when you conduct tabletop exercises or otherwise evaluate your incident response plan. Once you have the framework sorted out and documented, then I don’t think it is necessary to document your specific evaluation of individual incidents, unless that is something that you would normally do in your Form 8-K process.
Do I need to change my board and management practices regarding cybersecurity?
While it is certainly always a good idea to evaluate your board and management practices around the oversight and management of cybersecurity risks to always put your best foot forward on this topic, nothing about the new disclosure requirements should necessarily drive a revamp of the company’s approach. In the adopting release, the SEC notes “that the purpose of the rules is, and was at proposal, to inform investors, not to influence whether and how companies manage their cybersecurity risk.” As originally proposed, the disclosure requirements could be read as normative standards for board oversight and management involvement, but in the final rules the SEC has taken a much more principles-based approach. Based on this pivot, one might expect to see a few paragraphs about cybersecurity risk management, strategy, and governance in upcoming Form 10-Ks rather than pages of disclosure. And those paragraphs are going to be pretty high level in terms of their description of the process, as even the SEC does not want companies to hand threat actors the “keys to the kingdom” through their Form 10-K disclosure. At this point, the best approach is to begin drafting the required disclosure so you can evaluate whether there are any areas that you want to shore up before going live in your Form 10-K.
Do the new rules supersede the SEC’s past guidance?
While some aspects of the 2018 interpretive guidance have now been incorporated into SEC’s rules (in particular the construct for current reporting on Form 8-K), companies still must consider that guidance in determining what to disclose under items that were not amended with this latest rulemaking effort, including: (i) risk factors; (ii) legal proceedings; (iii) MD&A; (iv) financial statements; (v) effectiveness of disclosure controls and procedures; and (vi) corporate governance (including disclosure in the proxy statement).
Don’t forget that we will be giving practical action items for these new rules at our “Proxy Disclosure & 20th Annual Executive Compensation Conferences” – coming up virtually September 20-22nd. Register online today through our membership center or by emailing email@example.com. Or, you can call us at 800-737-1271. You can also find the latest guidance on the new cybersecurity disclosure requirements in our “Cybersecurity/Privacy Rights/Security Breaches/Data Governance” Practice Area on TheCorporateCounsel.net. If you are not a member of TheCorporateCounsel.net, sign up today!
– Dave Lynn