On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. 

The top five takeaways are:

  1. Disclosure of Cybersecurity Incidents within 4 Days of Materiality Determination. Public companies must now disclose in their Form 8-K Item 1.05 filings “any cybersecurity incident that they experience that is determined to be material” and describe “material aspects” of the reported incident, including a description of its nature, scope, timing, and impact on the company, within four business days of determining a cybersecurity incident is material.

    Recognizing that a materiality determination necessitates an informed and deliberate process, the Final Rules do, however, impose that such a determination needs to be done “without unreasonable delay.” Such materiality analysis should be “consistent with the standard set out in the cases addressing materiality in the securities laws, that information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available.’” See Final Rules at 80.

    Per the SEC, “adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance.” See Final Rules at 38. Thus, public company officers and directors should assess existing disclosure controls and procedures to ensure information about cybersecurity incidents are properly escalated, as appropriate, to management, the board, and any board committees with oversight of cybersecurity, and to ensure they are capturing what the Final Rules require.  Companies should ensure they have appropriate internal and outside experts and advisors to assist in making a materiality determination regarding a particular cybersecurity incident.
  2. Board Expertise Requirement Removed. Following substantial comments, the SEC declined to adopt in the Final Rules a proposed requirement for disclosure of cybersecurity expertise, if any, for a company’s board of directors.  See Final Rule at 81.  Among the comments opposing this proposed requirement were those noting a shortage of cybersecurity expertise in the marketplace, which would make this requirement difficult to fulfill.  Final Rules at 83.

    However, pursuant to Regulation S-K Item 106(b), public companies must now describe annually in their Form 10-K the board’s oversight of risks arising from cybersecurity threats, as well as management’s role in assessing and managing such material risks.  See Final Rule at 171.  Accordingly, public companies would be well advised to consider retaining outside experts, including cybersecurity counsel, to help train directors in cybersecurity matters, including on incident response, with periodic refresher trainings, to ensure appropriate oversight of cybersecurity risks and developments.  And while the SEC did not adopt the board expertise disclosure requirement, the Final Rules now require disclosure of the cybersecurity expertise for those members of management responsible for assessing and managing cybersecurity risks.  Id.
  3. Companies Must Disclose “Processes,” But No Requirement to Disclose Cybersecurity Procedures. Pursuant to Item 106(b) of Regulation S-K, public companies must now describe annually in their Form 10-K their processes, if any, for “assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes” and must also describe if the risks “have materially affected or are reasonably likely to materially affect” the company, “including its business strategy, results of operations, or financial condition and if so, how.”  See Final Rules at 170–71.  The SEC declined to adopt a requirement in the Proposed Rules mandating the disclosure of cybersecurity “policies and procedures,” thereby avoiding potential public disclosure of information that threat actors could then leverage to attack companies’ cybersecurity defenses.

    On this point, SEC Commissioner Hester Peirce voiced concern that compliance with the Final Rules could increase the future risk of cyberattacks on companies. Commissioner Peirce pointed out that the “strategy and governance disclosures risk handing [cyber criminals] a roadmap on which companies to target and how to attack them.” She argued that compliance with the Final Rules could do more harm than good because maintaining compliance with the Final Rules, while at the same time describing cyberattacks without revealing incident response procedures, security controls, or being too descriptive about a company’s network architecture, may be a difficult balance to maintain. 
  4. National Security Delay Exception Carries the Day. The Final Rules provide a national security exception to the timing of a Form 8-K disclosure of a material cybersecurity incident.  Specifically, if the U.S. Attorney General determines that such a disclosure “poses a substantial risk to national security or public safety,” companies may delay providing the Form 8-K disclosure until such period determined by the Attorney General, up to 30 days, which can be extended for additional 30 days if the Attorney General determines that disclosure would pose continuing risk.  See Final Rules at 184.  This disclosure can be further delayed by the Attorney General in “extraordinary circumstances.” This national security delay exception appears to be in response to comments about how a delayed disclosure when there is an ongoing law enforcement investigation may not only facilitate the investigation but may be key to its success.  See Final Rules at 22-23.
  5. Private Companies. Although the SEC’s Final Rules apply only to companies with securities registered with the SEC, the concepts captured by the Final Rules may be helpful for all companies, particularly when it comes to board oversight, management’s cybersecurity expertise, a company’s understanding of cybersecurity risks, and incident response.  Moreover, as private companies consider strategic exits, including potential public offerings, the SEC’s Final Rules may be considered as part of IPO readiness. 

Effective Dates

With certain exceptions, the Final Rules will become effective 30 days after the date of publication in the Federal Register.  For companies that file their Form 10-K or Form 20-F annual reports on or after December 15, 2023, those filings must comply with Final Rules.  For registrants other than smaller reporting companies, Form 8-K disclosures (in which material cybersecurity incident-based reporting must be made) and Form 6-K disclosures (for foreign private issuers who disclose material cybersecurity incidents in a foreign jurisdiction, to any stock exchange, or to security holders) will be required beginning December 18, 2023 or 90 days after the date of publication of the Final Rules in the Federal Register, whichever is later.  Smaller reporting companies will have an extra 180 days to comply.

Conclusion

The SEC’s publication of these cybersecurity rules is yet another data point demonstrating that the U.S. government’s focus on cybersecurity regulation and enforcement is trending toward increased accountability, with an increasingly “stick”-like approach. 

Public companies, officers, directors, and chief information security officers would need to assess existing cybersecurity and disclosure controls and procedures, and work with cybersecurity and disclosure counsel to prepare for this new reporting and disclosure regime.  Crowell & Moring LLP will continue to monitor these developments and provide updates as appropriate.  Please reach out to your Crowell & Moring contact, or any of the authors below, for additional information on these matters.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of William J. Bruno William J. Bruno

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial…

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial and follow-on securities offerings, complex commercial transactions, and corporate governance. William advises clients seeking to grow, collaborate, and secure new capital.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Photo of Daniel Zelenko Daniel Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Photo of Anand Sithian Anand Sithian

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand is resident in the firm’s New York office and a member of the firm’s International Trade, White Collar and Regulatory Enforcement, and Financial Services groups.

A former federal prosecutor, Anand leverages his government experience to guide clients through complex white-collar matters, including grand jury and regulatory investigations, enforcement proceedings, and internal investigations. Anand has deep experience in parallel criminal and civil investigations and proceedings, and often represents clients in defending against civil lawsuits related to government investigations.

Representing some of the world’s largest banks and technology companies, Anand has addressed a wide range of issues, including economic sanctions, BSA/AML; economic sanctions and national security; payments and cryptocurrency; securities laws; and cybersecurity enforcement. In the regulatory space, Anand prides himself on providing commercial and actionable advice, including in the developing areas of digital assets, FinTech, and payments.