On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) finalized new rules that mandate public companies to disclose material cybersecurity incidents and provide annual updates on their cybersecurity risk management, strategy, and governance. The rules, which also contain similar requirements for foreign private issuers, represent an additional operational burden with a short fuse for businesses juggling potentially overlapping state and federal law notifications in response to a cybersecurity incident.
- The SEC finalized rules that mandate public companies to disclose material cybersecurity incidents and provide annual updates on their cybersecurity risk management, strategy, and governance.
- The final rules significantly expand prior guidance regarding specificity of required disclosures.
- The rules take effect thirty days after publication in the Federal Register.
Public companies were already required to disclose events deemed “material,” and as reinforced by the Commission’s 2011 and 2018 interpretive guidance, cybersecurity incidents are no exception to the disclosure requirements surrounding material events. The final rules represent a significant expansion of the prior guidance regarding the specificity of required disclosures and may require operational and governance overhauls for many businesses.
What Constitutes a ‘Material’ Cybersecurity Incident?
As a starting point, the Commission declined to adopt a specific definition for “materiality” with regards to cybersecurity incidents and instead commented that it would continue to be determined consistent with the general standard in securities common law, whereby information is material if ‘“there is a substantial likelihood that a reasonable shareholder would consider it important’” in deciding on investments, or if the information would have ‘“significantly altered the ‘total mix’ of information made available.’” The analysis should consider both qualitative and quantitative factors, including the “immediate fallout and any longer term effects on [the company’s] operations, finances, brand perception, [and] customer relationships,” among other factors.
Notably, the March 2023 proposed rules outlined considerations as to the materiality determination, including the likelihood and extent to which a cybersecurity incident could:
- “disrupt or degrade the [business’s] ability to maintain critical operations”;
- “adversely affect the confidentiality, integrity, or availability of information residing on the [business’s] information systems, including whether the information is personal, confidential, or proprietary information”; and/or
- “harm the [business] or its customers, counterparties, members, registrants, users, or other persons.”
Given the fact-specific nature of this inquiry, the Commission noted that the same incident affecting multiple public companies may not require reporting at the same time, and in some cases, may be reportable for one company but not for another.
Key Aspects of the New Rules
For any cybersecurity incident deemed material, the new rules will require companies to describe “the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the [company], including its financial condition and results of operations.” Significantly, the Commission narrowed the scope of the final language to avoid disclosure of specific details regarding the incident itself, which now focuses on the impact to the company. For example, the Commission scrapped the proposed rules’ requirement to disclose the remediation status, whether the incident is ongoing, and whether data was compromised, except as necessary to discuss material impacts to the company (such as intellectual property loss or reputational damage). The disclosure is generally due four business days after the company determines the incident’s materiality, and the materiality determination must be made “without unreasonable delay after discovery of the incident.” However, the disclosure may be delayed if the U.S. attorney general determines that “immediate disclosure would pose a substantial risk to national security or public safety.”
Additionally, the rules require public companies to describe their processes “for assessing, identifying, and managing material risks from cybersecurity threats.” This description must include the material effects or “reasonably likely” material effects of risks from cybersecurity threats and previous cybersecurity incidents, oversight of cybersecurity threat risks by the board of directors, and management’s role and expertise in assessing and managing these risks. The Commission stated in its comments that these disclosures would typically require (among other things) identifying whether a company has a chief information security officer or similar individual.
The final rules will become effective thirty days following publication of the rules in the Federal Register.
Companies may want to review their existing cybersecurity policies, procedures, and controls to ensure that they align with the SEC’s expectations and begin planning for these additional required disclosures. Boards of directors and management may want to become more involved with the design and implementation of these processes to prepare for these associated public disclosures. In addition, companies may want to closely consider triage and escalation procedures for potential material cybersecurity incidents given the extremely short disclosure deadline.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will publish updates on the Cybersecurity and Privacy blog as additional information becomes available.