Cybersecurity continues to be a critical concern for businesses, investors, and regulators alike. In response to the growing number of cyber incidents impacting public companies, the U.S. Securities and Exchange Commission (SEC) has intensified its focus on cybersecurity disclosures. The SEC's new rules, adopted in July 2023, emphasize transparency and accountability in managing and reporting cybersecurity incidents. These rules affect both domestic and foreign companies and require timely disclosure of material cybersecurity events, as well as enhanced reporting on cybersecurity risk management, strategy, and governance.

OVERVIEW OF THE NEW CYBERSECURITY DISCLOSURE REQUIREMENTS

The SEC's final rules mandate that companies disclose material cybersecurity incidents in their Form 8-K filings, under Item 1.05. This new section specifies that companies must file a report within four business days after determining that a cybersecurity incident is material. The disclosure should include:

• The nature of the incident (What happened? Was there data theft, operational disruption, etc.?)
• The scope and timing of the incident (How widespread was it, and when did it occur?)
• Material impact or the reasonably likely impact on the company (How has this affected the business, or how might it in the future?)

Companies need to closely monitor their operations and cybersecurity posture, ensuring that they identify and assess the materiality of any cyber incident promptly. This requirement ensures that investors receive timely and accurate information about incidents that could significantly affect the company’s financial standing or reputation.

DELAYING DISCLOSURES FOR NATIONAL SECURITY CONCERNS

Given the sensitive nature of cybersecurity incidents, the SEC has included provisions allowing for a delay in disclosure if certain conditions are met. Companies may delay reporting a material cybersecurity event if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. In such cases, the Attorney General must provide written notice of this determination to the SEC.

The potential delay in disclosure includes:

• An initial period of up to 30 days, with the possibility of a further 30-day extension upon request by the Attorney General.
• In extraordinary cases, the disclosure can be delayed for an additional 60 days if the Attorney General determines the national security risk still exists.

It’s also worth noting that a company may delay filing Form 8-K for up to seven business days after notifying the Secret Service and FBI about a breach of customer proprietary network information (under FCC rules), with written notification to the SEC. These delay provisions provide flexibility for companies handling highly sensitive information but also set clear guidelines to prevent indefinite withholding of critical information from investors.

UNDERSTANDING THE SEC’S NEW C&DI ON CYBERSECURITY DISCLOSURES

To further clarify the new rules, the SEC has published three Compliance and Disclosure Interpretations (C&DIs), which address specific situations related to Form 8-K filing requirements:

1. Question 104B.01: If a company experiences a material cybersecurity incident and requests a delay from the Attorney General, but the Attorney General declines or fails to respond before the Form 8-K is due, the company must file the Form 8-K within four business days of determining the incident is material. Simply requesting a delay does not alter the company’s filing obligation unless the Attorney General confirms that a delay is necessary.
2. Question 104B.02: If the Attorney General grants a delay but does not extend the delay beyond the initial period, the company must file the Form 8-K within four business days after the expiration of the delay period.
3. Question 104B.03: If the Attorney General withdraws the delay before the granted period expires (by determining that disclosure no longer poses a national security or public safety risk), the company must file the Form 8-K within four business days of receiving this notification.

These interpretations provide companies with much-needed guidance on how to manage their obligations when they are handling cybersecurity incidents that involve potential risks to national security.

IMPACT ON GOVERNANCE AND RISK MANAGEMENT DISCLOSURES

Beyond incident reporting, the SEC’s final rules require companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance in annual reports. Specifically, companies must describe:

• How they assess, identify, and manage cybersecurity risks.
• How their cybersecurity risk management strategy aligns with the company’s business objectives.
• The board of directors’ oversight of cybersecurity risks, including whether any board member has expertise in cybersecurity.
• Management’s role in implementing cybersecurity risk controls, and the extent to which risk management responsibilities are delegated to specific individuals or committees.

This focus on governance is part of the SEC’s broader push for greater accountability at the leadership level. By requiring transparency in how companies manage and oversee cybersecurity risks, the SEC is urging companies to adopt robust governance frameworks and ensure that cybersecurity is a board-level priority.

CHALLENGES AND BEST PRACTICES FOR COMPANIES

While the new rules increase transparency, they also place additional compliance burdens on companies. Here are some best practices to consider when navigating the SEC's cybersecurity disclosure requirements:

1. Proactively Manage Cybersecurity Risks: Companies should regularly assess and update their cybersecurity programs to mitigate risks effectively. This includes implementing preventive measures, conducting regular audits, and ensuring that both management and the board are informed about the latest cybersecurity threats.
2. Develop Clear Incident Response Protocols: Having an efficient incident response plan is essential. Companies should know how to identify a material incident quickly and ensure that the necessary stakeholders are engaged. Timely decision-making is crucial, particularly when considering the four-business-day window for filing Form 8-K.
3. Coordinate with Legal Counsel on National Security Concerns: Companies facing incidents with potential national security implications should work closely with legal counsel to navigate the complexities of delayed disclosure and ensure compliance with both SEC regulations and national security protocols.
4. Enhance Board Oversight: Companies should consider appointing or engaging board members with expertise in cybersecurity. Given the importance of board oversight in the SEC’s new governance rules, having the right individuals in place can bolster both compliance and the company’s overall cybersecurity posture.
5. Stay Informed About Evolving Cyber Threats: The landscape of cybersecurity risks is constantly evolving. Companies should continuously educate their teams on emerging threats and adjust their strategies accordingly.

CONCLUSION

The SEC’s new cybersecurity disclosure rules signal a significant shift in how companies are expected to manage and report cybersecurity risks. By requiring timely disclosure of material incidents, focusing on governance, and offering provisions for delayed reporting in national security cases, the SEC is raising the bar for corporate cybersecurity transparency. Companies must now be prepared not only to respond swiftly to cyber incidents but also to disclose them accurately and promptly while balancing national security concerns. Compliance with these rules will require ongoing vigilance, robust cybersecurity governance, and close collaboration with legal counsel and regulatory bodies.