On July 26, 2023, the SEC announced that it had adopted new rules requiring issuers to disclose “material cybersecurity incidents” and “material information regarding…cybersecurity risk management, strategy, and governance.” As proposed, the rules included several components that received strong negative comments. For example:
- The proposals would have required “disclosure about the cybersecurity expertise of members of the board of directors,” including whether any board members have cybersecurity expertise and, if so, “the name(s) of any such director(s)… and detail necessary to fully describe the nature of the expertise.” This proposal was severely criticized by issuers and investors, among others.
- An even more controversial proposal was a proposed requirement to disclose on Form 8-K, within four business days, extensive details about any “cybersecurity incident that is determined by the registrant to be material”. This proposal was opposed by companies on numerous grounds, including that it is often difficult to know whether an incident is material and that reporting an incident may make it more difficult to investigate it.
Given the current composition of the SEC, many observers expected the worst – i.e., that these and other objectionable aspects of the proposals would be adopted. We may not have gotten the worst, but what we got doesn’t seem to be great, either. Specifically, the final rules provide as follows:
- Companies will be required to disclose on Form 8-K any cybersecurity incident deemed to be material, including “material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the [company], including its financial condition and results of operations.” The final rules focus more on the impacts of the incident rather than details of the incident itself; for example, disclosure of the incident’s remediation status, whether data has been compromised, or potential system vulnerabilities, all of which would have been required under the proposal, will not be needed.
- Perhaps the most troubling aspect of the new rules is the timing of disclosure. Specifically, companies are required to “determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material [sic], file [a] Form 8-K generally within four business days of such determination.” Time will tell, but it would seem inadvisable to assume that a company has much if any leeway in determining the materiality of an incident.
- This is reinforced by the one stated exception to the four-day reporting requirement. Specifically, “disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.” But that’s not all; “[i]f the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.” In other words, even if the AG says delay is necessary, it appears that the SEC will consider whether to accept his/her views. The detailed wording of the requirement (which this commentator has admittedly not yet reviewed) may provide some helpful details, but it’s hard to envision all – or possibly any – of this happening in four business days.
Not surprisingly, Commissioner Peirce voted against the rule, noting that obtaining approval from the Attorney General within four days “will be quite a feat.”
If you are wondering where the good news can be found, the SEC did drop the requirement to disclose cybersecurity expertise on the board. Instead, the rules will require companies to describe (1) “their processes… for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect” the company; and (2) “the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” While disclosing how boards oversee cybersecurity risk seems like a good idea, that the language quoted above will almost certainly lead to lots of boilerplate, with little benefit.
Another bit of good news is that the final rules dropped the proposed requirement for companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents have collectively become material. Instead, the SEC added the words “a series of related unauthorized occurrences” to the definition of “cybersecurity incident.”
To the extent the new disclosures are to be included in 10-K reports, they will be required beginning with reports for fiscal years ending on or after December 15, 2023. The incident disclosure requirements for 8-K reporting will take effect for companies other than smaller reporting companies on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with these requirements the later of 270 days from the effective date of the rules or June 15, 2024.
Please direct any questions or observations to Gunster securities law and corporate governance practice leader Bob Lamm.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
About Gunster
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa Bayshore, Tampa Downtown, Vero Beach, and its headquarters in West Palm Beach. With more than 260 attorneys and consultants, and over 270 committed professional staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com.