On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. 

The top five takeaways are:

  1. Disclosure of Cybersecurity Incidents within 4 Days of Materiality Determination. Public companies must now disclose in their Form 8-K Item 1.05 filings “any cybersecurity incident that they experience that is determined to be material” and describe “material aspects” of the reported incident, including a description of its nature, scope, timing, and impact on the company, within four business days of determining a cybersecurity incident is material.

    Recognizing that a materiality determination necessitates an informed and deliberate process, the Final Rules do, however, impose that such a determination needs to be done “without unreasonable delay.” Such materiality analysis should be “consistent with the standard set out in the cases addressing materiality in the securities laws, that information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available.’” See Final Rules at 80.

    Per the SEC, “adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance.” See Final Rules at 38. Thus, public company officers and directors should assess existing disclosure controls and procedures to ensure information about cybersecurity incidents are properly escalated, as appropriate, to management, the board, and any board committees with oversight of cybersecurity, and to ensure they are capturing what the Final Rules require.  Companies should ensure they have appropriate internal and outside experts and advisors to assist in making a materiality determination regarding a particular cybersecurity incident.
  2. Board Expertise Requirement Removed. Following substantial comments, the SEC declined to adopt in the Final Rules a proposed requirement for disclosure of cybersecurity expertise, if any, for a company’s board of directors.  See Final Rule at 81.  Among the comments opposing this proposed requirement were those noting a shortage of cybersecurity expertise in the marketplace, which would make this requirement difficult to fulfill.  Final Rules at 83.

    However, pursuant to Regulation S-K Item 106(b), public companies must now describe annually in their Form 10-K the board’s oversight of risks arising from cybersecurity threats, as well as management’s role in assessing and managing such material risks.  See Final Rule at 171.  Accordingly, public companies would be well advised to consider retaining outside experts, including cybersecurity counsel, to help train directors in cybersecurity matters, including on incident response, with periodic refresher trainings, to ensure appropriate oversight of cybersecurity risks and developments.  And while the SEC did not adopt the board expertise disclosure requirement, the Final Rules now require disclosure of the cybersecurity expertise for those members of management responsible for assessing and managing cybersecurity risks.  Id.
  3. Companies Must Disclose “Processes,” But No Requirement to Disclose Cybersecurity Procedures. Pursuant to Item 106(b) of Regulation S-K, public companies must now describe annually in their Form 10-K their processes, if any, for “assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes” and must also describe if the risks “have materially affected or are reasonably likely to materially affect” the company, “including its business strategy, results of operations, or financial condition and if so, how.”  See Final Rules at 170–71.  The SEC declined to adopt a requirement in the Proposed Rules mandating the disclosure of cybersecurity “policies and procedures,” thereby avoiding potential public disclosure of information that threat actors could then leverage to attack companies’ cybersecurity defenses.

    On this point, SEC Commissioner Hester Peirce voiced concern that compliance with the Final Rules could increase the future risk of cyberattacks on companies. Commissioner Peirce pointed out that the “strategy and governance disclosures risk handing [cyber criminals] a roadmap on which companies to target and how to attack them.” She argued that compliance with the Final Rules could do more harm than good because maintaining compliance with the Final Rules, while at the same time describing cyberattacks without revealing incident response procedures, security controls, or being too descriptive about a company’s network architecture, may be a difficult balance to maintain. 
  4. National Security Delay Exception Carries the Day. The Final Rules provide a national security exception to the timing of a Form 8-K disclosure of a material cybersecurity incident.  Specifically, if the U.S. Attorney General determines that such a disclosure “poses a substantial risk to national security or public safety,” companies may delay providing the Form 8-K disclosure until such period determined by the Attorney General, up to 30 days, which can be extended for additional 30 days if the Attorney General determines that disclosure would pose continuing risk.  See Final Rules at 184.  This disclosure can be further delayed by the Attorney General in “extraordinary circumstances.” This national security delay exception appears to be in response to comments about how a delayed disclosure when there is an ongoing law enforcement investigation may not only facilitate the investigation but may be key to its success.  See Final Rules at 22-23.
  5. Private Companies. Although the SEC’s Final Rules apply only to companies with securities registered with the SEC, the concepts captured by the Final Rules may be helpful for all companies, particularly when it comes to board oversight, management’s cybersecurity expertise, a company’s understanding of cybersecurity risks, and incident response.  Moreover, as private companies consider strategic exits, including potential public offerings, the SEC’s Final Rules may be considered as part of IPO readiness. 

Effective Dates

With certain exceptions, the Final Rules will become effective 30 days after the date of publication in the Federal Register.  For companies that file their Form 10-K or Form 20-F annual reports on or after December 15, 2023, those filings must comply with Final Rules.  For registrants other than smaller reporting companies, Form 8-K disclosures (in which material cybersecurity incident-based reporting must be made) and Form 6-K disclosures (for foreign private issuers who disclose material cybersecurity incidents in a foreign jurisdiction, to any stock exchange, or to security holders) will be required beginning December 18, 2023 or 90 days after the date of publication of the Final Rules in the Federal Register, whichever is later.  Smaller reporting companies will have an extra 180 days to comply.

Conclusion

The SEC’s publication of these cybersecurity rules is yet another data point demonstrating that the U.S. government’s focus on cybersecurity regulation and enforcement is trending toward increased accountability, with an increasingly “stick”-like approach. 

Public companies, officers, directors, and chief information security officers would need to assess existing cybersecurity and disclosure controls and procedures, and work with cybersecurity and disclosure counsel to prepare for this new reporting and disclosure regime.  Crowell & Moring LLP will continue to monitor these developments and provide updates as appropriate.  Please reach out to your Crowell & Moring contact, or any of the authors below, for additional information on these matters.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of William J. Bruno William J. Bruno

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial…

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial and follow-on securities offerings, complex commercial transactions, and corporate governance. William advises clients seeking to grow, collaborate, and secure new capital.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Photo of Daniel Zelenko Daniel Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Photo of Anand Sithian Anand Sithian

Anand Sithian is a counsel in Crowell & Moring’s New York office. He is a member of the International Trade and the White Collar & Regulatory Enforcement groups. Anand advises clients on a variety of regulatory issues and investigations relating to anti-money laundering…

Anand Sithian is a counsel in Crowell & Moring’s New York office. He is a member of the International Trade and the White Collar & Regulatory Enforcement groups. Anand advises clients on a variety of regulatory issues and investigations relating to anti-money laundering (AML), the Bank Secrecy Act (BSA), U.S. economic sanctions, including those administered by the Office of Foreign Assets Control (OFAC), and asset forfeiture matters. Anand routinely counsels clients on the novel application of these laws and regulations to issues involving financial institutions, technology and social media, virtual currency and digital assets (including the seizure and forfeiture of virtual currencies), and the evolving cannabis industry.

Photo of Alexander Urbelis Alexander Urbelis

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer…

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer (CISO), Chief Compliance Officer, in-house counsel, and private practice litigator.

Alex has a unique skill set that has allowed him to create a bridge between the technical and legal side of cybersecurity. As a result, he is the primary architect of an exclusive DNS (Domain Name Search) monitoring and intelligence platform. Through this intel platform, Alex advises his clients on identified and early-stage indicators of cybersecurity threats and provides counsel on legal actions and technical defensive remedies to neutralize those threats. Alex tracks sophisticated cyber adversaries and advanced persistent threats (APTs) through his intel platform and, notably, detected a state-sponsored cyber intrusion attempt targeting the World Health Organization in March 2020. For combining legal and technical skill sets with public service, the Financial Times selected Alex as a finalist for its Innovative Lawyers awards for pandemic response in 2020.

Photo of Christiana State Christiana State

Christiana State (CIPP/US, CIPP/E) is a senior counsel in Crowell & Moring’s San Francisco office and a member of the firm’s Corporate and Privacy & Cybersecurity groups. Christiana focuses her practice on counseling clients on technology and privacy matters. Christiana leverages a combination…

Christiana State (CIPP/US, CIPP/E) is a senior counsel in Crowell & Moring’s San Francisco office and a member of the firm’s Corporate and Privacy & Cybersecurity groups. Christiana focuses her practice on counseling clients on technology and privacy matters. Christiana leverages a combination of in-house counsel experience and electrical engineering training to guide emerging technology companies through transformational growth stages. Christiana represents technology companies, from start-ups to multinational corporations, in various industry segments, such as: AI/ML, cloud services, biometrics, semiconductors and computing architectures, gaming, AR/VR, drones, and EV charging.

Christiana brings a pragmatic and business-focused approach to her representations. Prior to Crowell, she spent over a decade serving as in-house counsel for various technology companies in Silicon Valley. In those roles, Christiana led cross-functional teams while managing global technology and intellectual property deals, product launches and related regulatory matters, and intellectual property strategies.