Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityRegulationTechnology Media and Telecom

10 Steps Legal Departments Should Be Taking to Prepare for the SEC's Newly Adopted Cybersecurity Risk Governance Rule for Public Companies

By Megan Silverman
September 01, 2023

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the Securities Exchange Act of 1934. The final rules passed by a narrow 3-2 vote, which is representative of the compromise required to enact these much commented on rules that will be burdensome, especially for public companies with underdeveloped cybersecurity programs. The adoption of these SEC cybersecurity rules demonstrates that cybersecurity is a top corporate risk today and that the SEC is arming investors with information to better evaluate it. In Commissioner Caroline Crenshaw's statement on the SEC rules' adoption, she noted that, "cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone." Since cybersecurity risks and the cost of resolving cyber incidents have increased alongside the digitalization of operations, the growth of remote work and the increasing reliance on third-party service providers for information technology services, the SEC has determined investors require more consistent, comparable, decision-useful and transparent disclosures to evaluate a company's exposure to cybersecurity risks and incidents as well as a company's ability to manage and mitigate those risks.

After much deliberation and compromise, below are the key requirements of the SEC's new cybersecurity rules:

  • New Form 8-K Item 1.05 requires the disclosure of any cybersecurity incident determined to be material within four business days of the materiality determination with a description of the pertinent aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition, operations and reputational harm.
    • Consistent with traditional securities law, an incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would significantly alter the "total mix" of information available.
    • The four-business day disclosure requirement is triggered on the date on which the company determines that a cybersecurity incident is material, not the date the incident is discovered. An instruction to Form 8-K provides that a materiality determination must be made "without unreasonable delay" after discovery of a cybersecurity incident.
    • The disclosure may be delayed if the attorney general notifies the SEC after determining that immediate disclosure would pose a substantial risk to national security or public safety.
  • New Regulation S-K Item 106 requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Item 106 also requires companies to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
    • Form 6-K and Form 20-F have also been amended to include similar requirements for foreign private issuers (nongovernmental companies incorporated outside of the U.S. doing business in the U.S.).

The incident disclosure requirements in Form 8-K Item 1.05 go into effect the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023. Smaller reporting companies (companies with a public float of less than $250 million or less than $100 million in annual revenues) enjoy an additional 180 days until the incident disclosure requirements go into effect. With respect to Regulation S-K Item 106, companies must provide disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.

This premium content is locked for Cybersecurity Law & Strategy subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
The DOJ's Corporate Enforcement Policy: One Year Later Image

The DOJ's Criminal Division issued three declinations since the issuance of the revised CEP a year ago. Review of these cases gives insight into DOJ's implementation of the new policy in practice.

The DOJ's New Parameters for Evaluating Corporate Compliance Programs Image

The parameters set forth in the DOJ's memorandum have implications not only for the government's evaluation of compliance programs in the context of criminal charging decisions, but also for how defense counsel structure their conference-room advocacy seeking declinations or lesser sanctions in both criminal and civil investigations.

Use of Deferred Prosecution Agreements In White Collar Investigations Image

This article discusses the practical and policy reasons for the use of DPAs and NPAs in white-collar criminal investigations, and considers the NDAA's new reporting provision and its relationship with other efforts to enhance transparency in DOJ decision-making.

Bankruptcy Sales: Finding a Diamond In the Rough Image

There is no efficient market for the sale of bankruptcy assets. Inefficient markets yield a transactional drag, potentially dampening the ability of debtors and trustees to maximize value for creditors. This article identifies ways in which investors may more easily discover bankruptcy asset sales.

Compliance Officers: Recent Regulatory Guidance and Enforcement Actions and Mitigating the Risk of Personal Liability Image

This article explores legal developments over the past year that may impact compliance officer personal liability.