New SEC Rules For Cybersecurity Incident and Risk Management Disclosures

The Securities and Exchange Commission (SEC) issued a final rule on July 26, 2023, requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days of discovery. Additionally, companies must provide annual disclosures in Form 10-K regarding their processes for identifying, assessing, and managing cybersecurity risks and governance.

This regulatory update, as outlined by Kilpatrick Townsend & Stockton LLP, mandates a standardized approach to cyber-risk transparency. Public companies must now balance the need for rapid incident reporting with the complexity of determining materiality. Beyond incident reporting, the rules emphasize the importance of board-level oversight and management’s role in cybersecurity governance, ensuring that investors receive consistent information about how companies mitigate threats to their information systems.

Key Takeaways

  • Four-Day Reporting: Material cybersecurity incidents must be disclosed on Form 8-K within four business days of the materiality determination.
  • Annual Risk Disclosure: Companies must disclose their cybersecurity risk management and governance processes annually in Form 10-K.
  • Materiality Standard: Materiality is based on whether a reasonable shareholder would consider the information important to their investment decision.
  • Oversight Requirements: Disclosures must detail how the board and management oversee and mitigate cybersecurity risks.
  • Phased Implementation: Requirements for incident reporting and annual disclosures have staggered effective dates beginning in late 2023.

What are the key compliance deadlines for the new SEC rules?

The implementation of these rules is phased, with different timelines for incident reporting and annual risk management disclosures.

  • Incident Reporting (Form 8-K): Requirements become effective for most companies on December 18, 2023. Smaller reporting companies have until June 15, 2024.
  • Annual Risk Management Disclosure (Form 10-K): All reporting companies are subject to these rules for fiscal years ending on or after December 15, 2023.

How do the SEC disclosure requirements compare?

The new SEC rules distinguish between immediate incident reporting and ongoing risk management disclosures.

RequirementFormTimingFocus
Material Incident8-K4 business daysNature, scope, impact, and timing
Risk Management10-KAnnualProcesses, governance, and board oversight

What constitutes a material cybersecurity incident?

A “cybersecurity incident” is defined as an unauthorized occurrence on a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of information. Materiality is determined by the standard securities law formulation: whether there is a substantial likelihood that a shareholder would consider the information important in making an investment, or if the information would significantly alter the “total mix” of information available. Companies must determine materiality “without unreasonable delay” following the discovery of an incident.

Are there exceptions for delaying disclosure?

Yes, the SEC identifies two specific circumstances where a delay in filing is permissible:

  • National Security or Public Safety: A delay is allowed if the U.S. Attorney General notifies the SEC that disclosure poses a substantial risk to national security or public safety. This allows for a 30-day delay, with potential for further extensions.
  • FCC Breach Rules: Companies subject to Federal Communications Commission (FCC) breach disclosure rules for customer proprietary network information may delay filing if they notify the SEC by the day disclosure would otherwise be required.

How should companies manage cybersecurity risks for SAP?

Organizations must secure mission-critical systems to minimize the likelihood of incidents that require public disclosure. The Cybersecurity Extension for SAP (CES) helps organizations implement vulnerability management, patch management, and threat detection. By strengthening the security of SAP environments, companies can better prevent unauthorized occurrences and ensure they have the necessary investigation capabilities to meet SEC reporting standards.

Share the Post: