The Securities and Exchange Commission (SEC) has finalized new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the Securities Exchange Act of 1934 reporting requirements.
Specific to disclosures, the SEC amendments require:
- Disclosures of material cybersecurity incidents be made in a timely manner.
- Disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks be provided periodically.
- Disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
Summary of Disclosure Requirements
Additional information can be found at 88 Fed. Reg. 51896 (August 4, 2023).
Regulation S-K Item 106(b) – Risk management and strategy. Beginning with annual reports for fiscal years ending on or after December 15, 2023, registrants must periodically disclose their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. On an annual basis, registrants must disclose material information in regard to their risk management and strategy on Form 10-K (Form 20-F for foreign private issuers). Inline XBRL tagging of the disclosures is required by December 15, 2024.
Regulation S-K Item 106(c) – Governance. Beginning with annual reports for fiscal years ending on or after December 15, 2023, registrants must describe the board’s oversight of risks from cybersecurity threats and describe management’s role in assessing and managing material risks from cybersecurity threats. On an annual basis, registrants must disclose material information in regard to their governance on Form 10-K (and for foreign private issuers on Form 20-F). Inline XBRL tagging of the disclosures is required by December 15, 2024.
Form 8-K Item 1.05 – Material Cybersecurity Incidents. For all registrants other than smaller reporting entities, mandatory disclosure of cybersecurity incidents goes into effect on December 18, 2023. (Smaller reporting companies are given an additional 180 days from this date to comply, no later than June 15, 2024.) Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its nature, scope, and timing and impact or reasonably likely impact. This disclosure must be filed within four (4) business days of determining an incident was material and without unreasonable delay. However, a registrant may delay filing, if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. Inline XBRL tagging is required for such disclosures of material cybersecurity incidents and must occur by December 18, 2024 (i.e., beginning one year after initial compliance with the related disclosure requirement). Additionally, registrants must amend a previously filed Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.
In summary, after a cybersecurity incident has been deemed to be material, Form 8-K Item 1.05 must be filed within four business days and without unreasonable delay. There is an exception, however, if the United States Attorney General has deemed that the immediate disclosure would pose a substantial risk to national security or public safety. Previously filed Item 1.05 Form 8-K disclosures may be amended, if such information was not determined or otherwise unavailable at the time of the initial Form 8-K filing.
Form 6-K – Material Cybersecurity Incidents (Foreign Private Issuers). Foreign private must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
Form 20-F (Foreign Private Issuers (FPIs)). Foreign private issuers must describe the board’s oversight of risks from cybersecurity threats and describe management’s role in assessing and managing material risks from cybersecurity threats.
Inline XBRL (Inline eXtensible Business Reporting Language) tagging. Disclosures required by these rules must be in Inline XBRL format. This enables automated extraction and analysis of the information. Large-scale analysis and comparison of the information across registrants is also possible. Automatic comparison and redlining of disclosures against prior periods can also be done. Targeted artificial intelligence or machine learning assessments of language used in the cybersecurity disclosures can also be performed, considering factors such as tonality, sentiment, risk words, and others.
The Inline XBRL tagging requirement begins one-year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
- For the disclosure of material cybersecurity incidents (Item 1.05 of Form 8–K and Form 6–K), Inline XBRL tagging must start on December 18, 2024.
- For the disclosure of material information relating to risk management and strategy as well as governance (Item 106 of Regulation S-K and item 16K of Form 20-F), Inline XBRL tagging must begin with annual reports for fiscal years ending on or after December 15, 2024.
Summary of Form Changes
The following table is an excerpt from the published final rules, 88 Fed. Reg. 51896 (August 4, 2023).
Final Amendments and Effects
[Special note for Form 8-K – General Instructions: “A report pursuant to Item 1.05 is to be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident.”]
Regulation S-K Item 106
Form 10-K and
Things to Consider
Cybersecurity Management, Strategy, and Governance (Regulation S-K Item 106)
The SEC will now require disclosures regarding cybersecurity risk management, strategy, and governance since it believes that such disclosures are important to investors. The following sections will discuss how these disclosures relate to processes, management’s role and relevant expertise, and cybersecurity risk oversight. These requirements are intended to improve the timeliness and amount of informative detail in cybersecurity disclosures reported to the SEC. In the published final rules, the SEC asserts that such required disclosures may lower companies’ capital costs and increase the value of companies, thereby benefiting investors. These disclosures also should be filed in Inline XBRL format.
Processes (Item 106(b))
Registrants must describe the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. As stated in the final rules, investors need to ascertain a registrant’s cybersecurity practices, including whether there is a risk assessment program in place, and to obtain enough information to understand the registrant’s cybersecurity risk profile. But the SEC stated that the final rules only refer to “processes” since the disclosure should not include operational details that could be weaponized by threat actors.
According to the SEC, the registrant should describe the registrant’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail to understand those processes. In providing this disclosure, a registrant should address, as applicable, the following non-exhaustive list of disclosure items (also referred to as “elements”):
- Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
The registrant should also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
Based upon these requirements and considerations, there is a fine line between what is sufficient disclosure to the SEC (and to investors) versus what may not be enough. Readers are encouraged to monitor Electronic Data Gathering, Analysis, and Retrieval System (EDGAR) filings for reports that are filed pursuant to this requirement, review investor relations resources of US publicly traded companies, and to look for any future SEC guidance on this point. EDGAR is a public database that provides access to the SEC filings of registered companies. These filings include financial and operational information.
Governance (Item 106(c))
Registrants must describe the board of directors’ oversight of risks from cybersecurity threats and describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.
Governance: Board Oversight (Item 106(c)(1))
Registrants must describe the board of directors’ oversight of risks from cybersecurity threats and, if applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats. (For foreign private issuers with a two-tier board of directors, the term “board of directors” means the supervisory or non-management board, according to Instruction 1 of Item 106(c).) Registrants also need to describe the processes by which the board or board committee is informed about these cybersecurity risks.
Now is the time for registrants to examine how the board has oversight of risks from cybersecurity threats and, if it applies, whether there is a board committee or subcommittee that is responsible for such oversight. Public companies must now disclose this in their annual reports, namely, in Form 10-K for U.S. public companies and Form 20-F for foreign private issuers, for fiscal years ending on or after December 15, 2023. Because these are public filings with the EDGAR system, an individual (such as an investor or otherwise) can access the system to review the disclosures that are filed in compliance with this disclosure requirement.
Additionally, this disclosure requirement provides that the board itself may have oversight of risks from cybersecurity threats or, in the alternative, that a board committee or subcommittee may be responsible for oversight of risks from cybersecurity threats. While the rules do not go into this level of detail, the board committee or subcommittee – if one is used for such oversight -- may be comprised of both board members and non-board members. Board committees or subcommittees may be helpful, especially when the board may not necessarily have a director with cybersecurity expertise.
Governance: Management’s Role (Item 106(c)(2))
Registrants must also describe management’s role in assessing and managing material risks from cybersecurity threats. While the SEC provides a non-exclusive list of elements for such a disclosure, this list includes the disclosure of management positions or committees that are responsible for assessing and managing such risks and the relevant expertise of such persons or members with sufficient detail to fully describe the nature of the expertise. The SEC also explains (Instruction 2 to Item 106(c)) that previous cybersecurity work experience, relevant degrees or certifications, and any knowledge, skills, or other background in cybersecurity would provide salient information regarding the relevant expertise of management.
Other requirements in this list include disclosing the processes by which the persons or committees that are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and whether these persons or committees report information about these risks to the board of directors or a committee or a subcommittee of the board of directors.
Based upon these elements, it may be time to look at the organizational chart and make sure it is clear, well-defined, and up to date. Establish a clear chain-of-command and delineation of duties. Make sure that individuals in management roles are adequately informed of what is happening at any given time. Ensure that there is a mechanism to regularly report information about cybersecurity risks to the board of directors or a committee or subcommittee of the board of directors. (This mechanism should account for normal times and abnormal times, such as in the case of a significant cybersecurity incident.) Make sure your organization adheres to the Inline XBRL tagging requirement for responsive disclosures.
Material Cybersecurity Incidents (Form 8-K Item 1.05; Form 6-K for Foreign Private Issuers)
When assessing the materiality of cybersecurity incidents, risks, and related issues, companies should do this through the lens of the reasonable investor and take into account all relevant facts and circumstances. Factors to consider include, but are not limited to, the immediate consequences and any longer-term effects on operations, finances, brand perception, customer relationships, as well as other relevant factors.
When assessing the materiality of cybersecurity incidents, risks, and related issues, companies should do this through the lens of the reasonable investor and take into account all relevant facts and circumstances. Factors to consider include, but are not limited to, the immediate consequences and any longer-term effects on operations, finances, brand perception, customer relationships, as well as other relevant factors. Registrants have four (4) business days (and otherwise without unreasonable delay) to disclose: 1) a material cybersecurity incident to the SEC and 2) describe the material aspects of its nature, scope, and timing, as well as the 3) impact or reasonably likely impact. The materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident. Notwithstanding this, if the U.S. Attorney General notifies the SEC in writing that the disclosure would pose a substantial risk to national security or public safety, then the disclosure may be delayed, as more fully described in the published final rules, 88 Fed. Reg. 51896 (August 4, 2023).
Nonetheless, it is important to note that disclosure requirement does not necessarily start from the time that the cybersecurity incident was discovered, but only after it has been determined to be a material cybersecurity incident. (Of course, not all cybersecurity incidents are material in nature. The determination is very much fact specific.) Additionally, in terms of the content of the disclosure, the SEC clarified in the final published rules that registrants do not have to disclose specific or technical information about the planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such a detailed manner that would impede the registrant’s incident response or remediation. Remember that Inline XBRL tagging also applies for this material cybersecurity incident disclosure requirement.
Learn everything you need to know about the new SEC ruling and gain actionable insights at the SANS Cyber Compliance Countdown event on November 2, 2023.