Insight

On July 26, 2023, the SEC announced that it had adopted new rules requiring issuers to disclose “material cybersecurity incidents” and “material information regarding…cybersecurity risk management, strategy, and governance.”  As proposed, the rules included several components that received strong negative comments.  For example:

  • The proposals would have required “disclosure about the cybersecurity expertise of members of the board of directors,” including whether any board members have cybersecurity expertise and, if so, “the name(s) of any such director(s)… and detail necessary to fully describe the nature of the expertise.”  This proposal was severely criticized by issuers and investors, among others.
  • An even more controversial proposal was a proposed requirement to disclose on Form 8-K, within four business days, extensive details about any “cybersecurity incident that is determined by the registrant to be material”.  This proposal was opposed by companies on numerous grounds, including that it is often difficult to know whether an incident is material and that reporting an incident may make it more difficult to investigate it.

Given the current composition of the SEC, many observers expected the worst – i.e., that these and other objectionable aspects of the proposals would be adopted.  We may not have gotten the worst, but what we got doesn’t seem to be great, either.  Specifically, the final rules provide as follows:

  • Companies will be required to disclose on Form 8-K any cybersecurity incident deemed to be material, including “material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the [company], including its financial condition and results of operations.”  The final rules focus more on the impacts of the incident rather than details of the incident itself; for example, disclosure of the incident’s remediation status, whether data has been compromised, or potential system vulnerabilities, all of which would have been required under the proposal, will not be needed.  
  • Perhaps the most troubling aspect of the new rules is the timing of disclosure.  Specifically, companies are required to “determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material [sic], file [a] Form 8-K generally within four business days of such determination.”  Time will tell, but it would seem inadvisable to assume that a company has much if any leeway in determining the materiality of an incident.
  • This is reinforced by the one stated exception to the four-day reporting requirement.  Specifically, “disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”  But that’s not all; “[i]f the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.”  In other words, even if the AG says delay is necessary, it appears that the SEC will consider whether to accept his/her views.  The detailed wording of the requirement (which this commentator has admittedly not yet reviewed) may provide some helpful details, but it’s hard to envision all – or possibly any – of this happening in four business days. 

Not surprisingly, Commissioner Peirce voted against the rule, noting that obtaining approval from the Attorney General within four days “will be quite a feat.”

If you are wondering where the good news can be found, the SEC did drop the requirement to disclose cybersecurity expertise on the board.  Instead, the rules will require companies to describe (1) “their processes… for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect” the company; and (2) “the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”  While disclosing how boards oversee cybersecurity risk seems like a good idea, that the language quoted above will almost certainly lead to lots of boilerplate, with little benefit. 

Another bit of good news is that the final rules dropped the proposed requirement for companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents have collectively become material.  Instead, the SEC added the words “a series of related unauthorized occurrences” to the definition of “cybersecurity incident.”

To the extent the new disclosures are to be included in 10-K reports, they will be required beginning with reports for fiscal years ending on or after December 15, 2023.  The incident disclosure requirements for 8-K reporting will take effect for companies other than smaller reporting companies on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with these requirements the later of 270 days from the effective date of the rules or June 15, 2024.

Please direct any questions or observations to Gunster securities law and corporate governance practice leader Bob Lamm.


YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.

This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

About Gunster
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa Bayshore, Tampa Downtown, Vero Beach, and its headquarters in West Palm Beach. With more than 260 attorneys and consultants, and over 270 committed professional staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com.

Related Professionals

Jump to Page

Gunster Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek