TheCorporateCounsel.net

As Liz blogged last week, the SEC’s cybersecurity disclosures were published in the Federal Register, confirming that all registrants other than smaller reporting companies must comply with the incident disclosure requirements in Item 1.05 of Form 8-K beginning on December 18, 2023. Companies have been grappling with current reporting of material cybersecurity incidents at least since the SEC’s 2018 interpretive guidance — as Dave noted in his blog drilling down on the 8-K requirements — and have devoted significant time and resources to shoring up disclosure controls and procedures in light of that guidance and related enforcement activity. The SEC has also been quick to remind us that the rule is not intended to dictate how companies manage their cyber defenses.

Nonetheless, companies still need to consider how their processes and procedures for responding to an incident dovetail with the new cybersecurity disclosure rules. In this article, Debevoise addresses key takeaways and action items in anticipation of the effectiveness of the new requirements. With respect to the four business-day obligation to disclose material incidents on Form 8-K, here are suggestions from the alert, which goes into more detail on each item.

– Review the incident response plan and procedures to ensure that the materiality analysis is appropriately sequenced alongside other incident response activities and that materiality determination protocols are well-informed, deliberative and documented.

– Develop a disclosure analysis framework that incorporates both qualitative and quantitative factors, that accounts for the broadened definition for “cybersecurity incident,” and does not disclose information that would impede incident response and remediation.

– Review policies and procedures regarding the triage and escalation of third-party cybersecurity incidents to enable prompt materiality analysis, where appropriate.

– Track any missing required information in the initial Form 8-K filing and establish a cadence to review ongoing material incidents.

The alert also makes preparedness recommendations for the disclosure requirements relating to risk management, strategy and governance.

– Meredith Ervine