On July 26, 2023, a divided SEC adopted, by a 3-2 vote, final rules for cybersecurity disclosures. The final rules are based on proposed rules the agency first introduced in March 2022. The rules require companies to disclose material cybersecurity incidents they experience, and also to disclose on an annual basis material information regarding their cybersecurity risk management and governance. The rules will have a significant impact on reporting companies’ disclosure practices and could present a challenge for some companies. A copy of the final cybersecurity disclosure rules can be found here. The SEC’s July 26, 2023, press release about the final cybersecurity disclosure rules can be found here. The SEC’s two-page fact sheet about the new rules can be found here.

Background

In March 2022, the SEC proposed new disclosure and reporting rules with respect to cybersecurity issues. The Commission observed that cybersecurity threats and incidents “pose an ongoing and escalating risk to public companies, investors, and market participants.” The Commission also noted the “cost to companies and their investors of cybersecurity incidents is rising and doing so at an increased rate.” The Commission’s observed that disclosure practice regarding cybersecurity are inconsistent, and so the Commission proposed the cybersecurity reporting rules to foster “consistent, comparable, and decision-useful disclosures that would allow investors to evaluate registrant’s exposure to material cybersecurity risks … as well as registrants’ ability to manage and mitigate that risks.” Following the introduction of the proposed rules, a public comment period followed. The rules as adopted on July 26 largely track the proposed rules, with some important exceptions.

The Final Incident Reporting Requirements

One of the key elements of the final rule, and the one that undoubtedly will receive the most attention, is the new Item requiring reporting companies to disclose any cybersecurity incident they determine to be material, within four days of determining the materiality, and to describe the material aspects of the nature and scope of the incident as well as the likely material impact of the incident on the company’s operations and financial condition. The reporting company must determine the materiality of the incident without unreasonable delay following discovery, and if the incident is determined to be material, file a report on Form 8-K within four business days of the determination. The disclosure may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notified the Commission of the determination in writing. The Commission amended Form 6-K to required foreign reporting companies to furnish information on material cybersecurity incidents that they are required to disclose in a foreign jurisdiction to a securities exchange or to security holders.

The Final Cybersecurity Risk Management Disclosure Requirements

Under the final rules, reporting companies will be required to disclose in their annual disclosure filing their processes for assessing, identifying and managing material risks from cybersecurity threats, including whether any threats have materially affected or are reasonably likely to materially affect the company. The final rules also require the company to describe the board of directors’ oversight of the risk from cybersecurity threats and the role and expertise of company management in assessing and managing cybersecurity risks. The Rules also provide that foreign issuers will be required to make comparable disclosures on their annual reports.

The Rules’ Effectiveness Dates

The cyber incident reporting rule will be required either 90 days after the rule’s publication in the Federal Register or on December 18, 2023, whichever is later (though smaller reporting companies will have an extra 180 days before they must begin providing the disclosures). The annual cyber risk management disclosures will be required in annual reporting documents covering fiscal years ending on December 15, 2023, or later.

Discussion

The possibility that some form of these rules might be put in place has been hanging out there as a possibility for about 16 months. Nevertheless, I think many reporting companies are unprepared for these requirements. For example, I do not think not every company is, at least at this point, in a position to describe their processes for identifying and managing their cybersecurity threats, or their board processes for managing this risks.

As companies scramble to put themselves in a position to comply with these rules, they will time, attention, and money away from other tasks. Commissioner Hester Pierce, in her dissent from the rules’ adoption, the rules will push company into spending resources complying with the rules and conforming with the company’s other disclosure practices “instead of on combating cyber threats as they see fit.” Commissioner Pierce also criticized the rules’ compliance timelines, which she called “aggressive,”
suggesting many companies will struggle to comply with then new requirement in the timeline adopted.

I have a different concern, which has to do with what the securities plaintiffs’ lawyers will do with the required disclosures. I can envision that after a company suffers a cybersecurity incident, that plaintiffs’ lawyers, armed with the knowledge of what kind of incident the company suffered, will go back and scrutinize the company’s disclosure and say that the company did not properly disclose to investors the risk of the specific incident that later took place, or that the company described procedures that were represented as sufficient to prevent the kind of incident that occurred.

Similarly, I worry about the mandated disclosures concerning board cybersecurity governance practices, particularly with respect to board oversight processes concerning cybersecurity. Again, the plaintiffs’ lawyers armed with the benefit of hindsight after an incident has occurred will go back and scrutinize the prior board governance disclosures to try to argue that actual practices differed or omitted disclosures of oversight inadequacies that permitted the incident that occurred.

It will be interesting to see how companies fare grappling with the four-day reporting requirement. To be sure, the four days run only from the date that the company determines that the cyber incident is material. My concern is that the company may be quite sure that an incident is material but not yet be in a position to be able to report all of the specific items the rules require companies to disclose (that is, to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the reporting company). I can easily imagine a securities suit being filed based on the allegation that the initial, rushed 4-day disclosure was misleading because the incident turns out to have been far different than was initially thought – that is, that it turned out to be much greater in scope, or involving a much longer time period than initially thought. My fear is the disclosures that the rules require companies to make in a big rush may force companies to have to “go public” before they fully understand the situation, and that plaintiffs’ lawyer will later claim these rushed disclosures were misleading and that the companies deliberately tried to “soft pedal” the description of the incident.

My crystal ball is no better than anyone else’s, so I am not making any predictions. However, I do suspect that later this fall there will be a rash of news articles in which it is reported that companies are struggling to get themselves in a position to comply with these new rules, and that companies are finding it very costly and time-consuming to try to put themselves in a position to comply. I also suspect it won’t be too long after the rules go into effect that claims arise after a company suffers a cyber incident alleging that the cybersecurity disclosures were misleading because they failed to warn of the risk of the incident that occurred; or alleging that the companies four-day cybersecurity incident report was misleading because various aspects of the incident turn out on full investigation to be different than was initially disclosed.