SEC finalizes cybersecurity rules

Under new Item 1.05 of Form 8-K registrants must disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.

This information includes:

• A description of the material aspects of the nature, scope, and timing of the incident.
• The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

A registrant may delay providing the disclosures for an initial period of 30 days at the determination of the US Attorney General, if it is determined that the disclosures pose a substantial risk to national security or public safety. Additional requests for delay may be acceptable in certain circumstances. 

Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.

In the May 2024 statement, SEC Corp Fin Director Erik Gerding emphasized that a registrant should not disclose under Item 1.05 of Form 8-K a cybersecurity incident that is not yet determined to be material or is determined to be immaterial. Instead, a registrant may voluntarily disclose those incidents under a different item of Form 8-K, such as Item 8.01. If a registrant initially discloses an immaterial incident or one for which materiality has not been determined under Item 8.01 of Form 8-K, but subsequently determines it to be material, the registrant should file an Item 1.05 Form 8-K within four business days of the subsequent materiality determination.

When a cybersecurity incident is so significant that a registrant determines the incident to be material, even though the registrant has not yet determined its impact (or reasonably likely impact), it should disclose the incident in an Item 1.05 Form 8-K. In that case, the registrant includes a statement that it has not yet determined the impact (or reasonably likely impact) of the incident and amends the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing should provide investors with necessary information about the nature, scope and timing of the incident, even if the impact (or reasonably likely impact) is not yet determined.

The statement also emphasizes the importance of considering qualitative factors when assessing the impact of a cybersecurity incident. Registrants should not limit their materiality assessment to the impact on financial condition and results of operations but should also consider factors such as harm to reputation, customer or vendor relationships, competitiveness, and the possibility of litigation or regulatory investigations.

Overall, this statement aims to provide clarity and guidance to registrants on the disclosure requirements for cybersecurity incidents. It is not intended to discourage registrants from voluntarily disclosing cybersecurity incidents for which they have not yet determined materiality or incidents they consider immaterial. Such voluntary disclosures are recognized as valuable to investors, the marketplace and registrants. However, registrants are encouraged to make these voluntary disclosures in a manner that does not confuse investors or dilute the value of disclosures regarding material cybersecurity incidents.

In June 2024, Mr. Gerding issued an additional statement clarifying that Item 1.05 of Form 8-K does not prohibit registrants from privately discussing material cybersecurity incidents with other parties (e.g., commercial counterparties, vendors, customers, other parties affected by the same threat actor) or sharing additional information with such parties beyond what was disclosed in the initial Form 8-K filing. 

The statement acknowledged that privately sharing information about a material cybersecurity incident can aid in remediation, mitigation, and risk avoidance efforts, as well as assist other parties in complying with their own incident disclosure obligations.

In his statement, Mr. Gerding also addressed concerns that privately disclosing additional information could implicate the Commission’s rules on selective disclosures outlined in Regulation FD. He stated that Item 1.05 does not alter or change the application of Regulation FD to communications about cybersecurity incidents and registrants can privately share information without implicating Regulation FD in several ways. For example, the shared information may be immaterial, or the parties involved may not fall under the types of persons covered by Regulation FD. Additionally, certain exclusions from Regulation FD may apply, such as sharing information with individuals who owe a duty of trust or confidence to the company or entering into a confidentiality agreement.

Mr. Gerding concluded by stating that while some registrants may be hesitant to privately share information about material cybersecurity incidents, the Commission's rules generally do not prohibit such sharing. He encouraged registrants and their attorneys to navigate the selective disclosure rules in Regulation FD to facilitate the mutually beneficial sharing of information regarding these incidents.

Risk management and strategy

Registrants must provide in their Form 10-K a description of their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, including whether:

• The described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes, and how. 
• The registrant engages assessors, consultants, auditors or other third parties in connection with such processes. 
• The registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. 

Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant – including its business strategy, results of operations, or financial condition and if so, how. 

Governance

The final rules require disclosures about the board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. 

The final rules require registrants to report and disclose cybersecurity information in Inline XBRL format.  

Compliance with the structured data requirements is delayed for one year beyond initial compliance with the related disclosure requirement.  

In June 2024, the SEC staff issued five new C&DIs (Questions 104B.05 to 104B.09) to provide guidance on materiality determination and disclosure requirements for ransomware incidents involving ransomware payments.

The SEC staff clarified that:

• Registrants must still make a materiality determination for ransomware incidents, even if the disruption of operations or data exfiltration has been resolved through a ransomware payment.
• The ransomware payment and cessation or apparent cessation of an incident determined to be material does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after determining it has experienced a material cyber incident.
• Reimbursement for a ransomware payment under an insurance policy does not automatically make the incident immaterial.
• The size of a ransomware payment alone does not determine the materiality of a cybersecurity incident; all relevant facts and circumstances should be considered.
  
• Disclosure of a series of related cybersecurity incidents may be required if collectively they are material, even if each incident individually may be considered immaterial.
  

In December 2023, the SEC staff issued four new C&DIs (Questions 104B.01 to 104B.04) to provide implementation guidance about the deadlines for allowable delays for a registrant to file its Form 8-K when the registrant has submitted a request for the Attorney General to authorize the deferral of the filing because disclosure of the incident would pose a substantial risk to national security or public safety.

At that time, the SEC staff also clarified that:

• consulting with the Attorney General about the possibility of a delay does not necessarily result in a determination that the incident was material; and
• registrants are not precluded from consulting with the Attorney General, or other law enforcement or national security agencies, at any point regarding an incident.