SGR would like to bring to your attention the recent development from the U.S. Securities and Exchange Commission (SEC) regarding cybersecurity regulations that impacts public companies subject to the reporting requirements of the Securities Exchange Act of 1934. We are highlighting key aspects of the new rule, including the introduction of new disclosure forms and requirements.
In March 2022, the SEC introduced a proposal encompassing new rules, rule amendments, and form amendments designed to enhance and standardize disclosures related to cybersecurity risk management, strategy, governance, and material cybersecurity incidents. On July 26, 2023, the SEC announced its adoption and implementation of new rules regarding cybersecurity, which includes vital disclosure requirements aimed at enhancing transparency and standardization among public companies.
Rationale
The SEC’s motivation stems from several factors that collectively underscore the importance of bolstering cybersecurity disclosures. Notably, the increase in the frequency and severity of cybersecurity incidents, coupled with the rising costs associated with these incidents, serves as a reminder of the urgency for improved disclosure practices. The interconnectedness of digital operations, the rise of remote work, and the utilization of third-party service providers further amplify the potential risks.
Form 8-K Item 1.05: Disclosure of Material Cybersecurity Incidents
Under the new rules, a new Form 8-K Item 1.05 will mandate that registrants promptly disclose any cybersecurity incident they determine to be material. The disclosure should encompass the material aspects of the incident, such as its nature, scope, timing, and the material impact or reasonably likely material impact on the registrant, including its financial condition and operational results. Registrants are required to assess the materiality of the incident without undue delay following its discovery. If deemed material, the registrant must file an Item 1.05 Form 8-K within four business days of such determination. However, if immediate disclosure poses a substantial risk to national security or public safety, the United States Attorney General can delay the disclosure, subject to Commission notification and potential exemptive orders.
New Regulation S-K Item 106: Management of Cybersecurity Risks
The new rules introduce Regulation S-K Item 106, necessitating registrants to outline their processes for evaluating, identifying, and mitigating material risks stemming from cybersecurity threats. Furthermore, registrants are required to discuss whether any risks from cybersecurity threats, including those arising from previous incidents, have materially impacted or are reasonably likely to materially affect the company. This regulation also mandates registrants to delineate the board of directors’ oversight of cybersecurity threat risks and management’s role and expertise in handling such risks.
Form 6-K and Form 20-F Amendments: Enhanced Disclosure for Foreign Private Issuers
Foreign private issuers are not exempt from the scope of these new rules. Form 6-K will be revised to oblige foreign private issuers to furnish information regarding material cybersecurity incidents that they disclose or are required to disclose in a foreign jurisdiction to stock exchanges or security holders. Form 20-F will also be amended, mandating foreign private issuers to provide periodic disclosure comparable to the requirements specified in Regulation S-K Item 106.
Effective Dates and Compliance Deadlines
The final rules are slated to take effect 30 days subsequent to the publication of the adopting release in the Federal Register. Compliance deadlines for different categories of registrants are as follows:
For Regulation S-K Item 106 and comparable Form 20-F requirements, all registrants must begin providing disclosures starting with annual reports for fiscal years concluding on or after December 15, 2023.
For disclosure requirements in Form 8-K Item 1.05 and Form 6-K, all registrants except smaller reporting companies must commence compliance either 90 days after the publication in the Federal Register or by December 18, 2023. Smaller reporting companies are granted an additional 180 days and must comply with Form 8-K Item 1.05 by the later of 270 days from the rule’s effective date or June 15, 2024.
Regarding structured data requirements, all registrants must tag disclosures as mandated by the final rules in Inline XBRL, starting one year after their initial compliance with the relevant disclosure requirement.
Next Steps
We recommend that affected companies consult SGR legal counsel with expertise in securities law and cybersecurity to gain a comprehensive understanding of the evolving regulatory landscape and to ensure timely compliance with new rules and requirements set forth in the SEC’s cybersecurity rule. As always, you should immediately engage legal counsel in the event of any potential data security incident.
For more information and inquiries feel free to contact Joel Bruckman, a Partner in our Data Privacy and Cybersecurity practice group, by email at jbruckman@sgrlaw.com, or by telephone at (312) 360-6461.