TheCorporateCounsel.net

With Form 10-K season for December 31 year-end filers now wrapped up, we can now get a sense of how things went with the cybersecurity disclosure required in Item 106 of Regulation S-K. I don’t know about you, but preparing these disclosures proved to be a hard slog over the past few months, as is often the case when preparing new and unfamiliar disclosures from scratch. A DLA memo from earlier this year identified some early filer trends in the Form 10-K cybersecurity disclosure:

A recent study by DLA Piper Corporate Data Analytics of Item 1C disclosures filed by Russell 3000 companies as of January 31, 2024 found:

– 85 percent of registrants disclosed that the company has a Chief Information Security Officer (CISO) or other role responsible for information security.

– 62 percent of registrants disclosed a CISO or similar role focused solely on information security.

– 23 percent disclosed a Vice President, Chief Technology Officer, or other employee with responsibility over information security and other technology-related matters.

– 69 percent of registrants discussed conducting employee training regarding cybersecurity as well as conducting internal tests or simulations.

– While no registrants discussed a specific cyber incident in Item 1C disclosures, 69 percent discussed past breaches generally and 62 percent discussed past threats generally.

In addition to the registrants who have disclosed new Item 1C, some registrants with fiscal year ends prior to December 15, 2023 have been voluntarily including cybersecurity-related disclosures in their recently filed Form 10-Ks. Generally, such registrants have included information related to individuals who manage the registrant’s security program and who provide periodic reports to the board of directors, CEO, and other senior management.

For example, filers in the technology sector have disclosed that:

– IT teams regularly monitor and generate reports regarding cyber risks and threats, the status of projects to strengthen information security systems, assessments of information security programs, the emerging threat landscape, and related matters

– Such cybersecurity-related reports are provided to the Chief Information Security Officer

– Overall cyber programs are regularly evaluated by internal and external experts

– The company conducts engagement with key vendors, industry participants, and intelligence and law enforcement communities as part of continuing efforts to evaluate and enhance the effectiveness of its information security policies and procedures

– The company maintains internal procedures, such as establishing a confidentiality framework, adhering to document management regulations, and all-employee confidentiality agreement requirements

Generally, my observations have been that the Form 10-K cybersecurity disclosures were shorter than I expected and tended to include less detail than one might have expected about the overall cybersecurity risk management approach. As we digest this year’s disclosure in anticipation of next year’s disclosures, I think companies will be revisiting their disclosure approach to get in line with their peers and general disclosure practices. We also may also get the benefit of the Staff’s observations on the new disclosure, either through the comment process or through further interpretive guidance.

We will continue to post law firm memos and other resources on this topic in our “Cybersecurity” Practice Area.

– Dave Lynn