On July 26, 2023, the SEC adopted a Final Rule significantly expanding cybersecurity disclosure requirements. The rule adds Item 1.05 to Form 8-K to disclose material cybersecurity incidents and new Item 106 to Regulation S-K to require annual disclosures about cybersecurity governance, risk management and strategy in Form 10-K. Similar changes have been made to Forms 20-F and 6-K for Foreign Private Issuers.
The transition for the new Item 1.05 Form 8-K and related Form 6-K disclosures is the later of 90 days after the date of publication of the Final Rule in the Federal Register or December 18, 2023. Smaller reporting companies have an additional 180 days for the Form 8-K changes.
The transition for the new annual report disclosures on Form 10-K and Form 20-F is for fiscal years ending on or after December 15, 2023.
The new disclosures must be tagged with iXBRL beginning one year after the initial disclosure requirements.
New Form 8-K Item 1.05
Item 1.05 requires disclosure of a cybersecurity incident within four days of a company determining that a cybersecurity incident has occurred and is material. General Instruction B.1. to Form 8-K now states:
A report pursuant to Item 1.05 is to be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident.
Disclosure on Form 8-K may be delayed if the “United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.” In this case the U.S. Attorney general must notify the SEC in writing.
The instructions to Form S-3 have been amended to add the Item 1.05 Form 8-K to the list of 8-Ks where late filing does not affect Form S-3 eligibility.
The Instructions for the new Item are:
Item 1.05 Material Cybersecurity Incidents.
(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
The instructions also state:
A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
Similar changes are made to Form 6-K.
New Form 10-K Disclosures
Cybersecurity disclosures will be presented in new Item 1.C. in Part I of Form 10-K. The following has been added to the instructions to the Form:
Part I
**** *
Item 1C. Cybersecurity.
(a) Furnish the information required by Item 106 of Regulation S-K (§ 229.106 of this chapter).
New S-K Item 106 defines various terms and requires disclosures in two main areas:
-
-
- Risk management and strategy; and
-
-
-
- Governance
-
Risk management and strategy disclosures include “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.” These disclosures should address whether cybersecurity risk management is integrated into the company’s overall risk management processes, information about the use of outside resources and how the company addresses cybersecurity risk in the use of third party service providers.
In an MD&A like requirement, risk management and strategy disclosures should also address whether cybersecurity risks “have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”
Governance disclosures should describe the board of directors’ oversight of cybersecurity risks The Final rule also states, “If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.” Companies must also include details about management’s role in assessing and managing material cybersecurity risk. Not included in the Final Rule was a provision in the proposed rule to address board expertise in the cybersecurity area.
You can read the entire text of new Item 106 and the related definitions on page 169 of the Final Rule.
Similar changes are made to Form 20-F in a new Item 16K.
As always, your thoughts and comments are welcome.