SEC's Final Cybersecurity Rules: A Board Lens

The final rules impose significant disclosure requirements that will require more robust oversight by the board.

Material cybersecurity incidents to be reported on Form 8-K.

Public companies will be required to report information regarding a material “cybersecurity incident” within four business days after the company determines that the incident was material—not from the time of discovery of the incident. And companies must make materiality determinations “without unreasonable delay” after discovery of the incident. Information to be disclosed includes a description of the material aspects of the nature, scope, and timing of the incident, as well as the material impact (or reasonably likely material impact) on the company, including its financial condition and results of operations. Satisfying the deadline for materiality determinations could challenge management teams—particularly in situations where facts continue to unfold and the company is still responding to the cyber incident. Companies will need to create new or revised internal and disclosure controls and ensure coordination among the cyber team, securities lawyers, lawyers assisting the cyber team, and the management disclosure team to make timely materiality determinations.

Campanies had expressed concerns about making disclosures if law enforcement requested a delay or national security were implicated, but the final rules only include a narrow exception. If the US Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing, disclosure may be delayed for a maximum of 60 days (absent extraordinary circumstances). As a practical matter, such an expedited determination from the US Attorney General will be difficult to obtain. Companies also will not be required to disclose information that has been classified by a department or agency of the Federal government for the protection of the interest of national defense or foreign policy as a result of existing SEC Rule 0-6 under the Exchange Act. Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.

Cybersecurity risk management, strategy, and governance disclosures.

Companies must describe in their Form 10-K their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. While companies will not be required to disclose board-level cybersecurity expertise, they will be required to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

Effective dates.

Companies will be required to make Form 8-K cyber incident disclosures beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. All public companies will be required to make Form 10-K annual disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.

Form S-3 Eligibility; Safe Harbor.

Untimely reporting of material cyber incidents on Form 8-K filings will not jeopardize a company’s ability to use a short-form registration statement on Form S-3. And the new rules provide a limited safe harbor from securities law liability since management will have to make a rapid materiality determination.

For more information, download the full report below.