Key Point: To avoid inadvertently increasing enforcement and litigation risks, companies should consider these suggestions to minimize headaches with the SEC’s final rules that mandate (a) disclosures in annual report of corporate procedures to address material risks from cybersecurity threats, and (b) the filing of a Form 8-K disclosure within four business days after determining a material cybersecurity incident occurred.
In a 3-2 vote on July 26, 2023, the U.S. Securities Exchange Commission (the “SEC”) adopted new cyber incident disclosure rules for publicly traded companies (“registrants”). Although the final rules (the “adopting release”) impose similar disclosure requirements on foreign private issuers, this article focuses on domestic issuers. The SEC intends for the new rules to enhance and standardize registrants’ cybersecurity risk management, strategy, governance, and incident response disclosures, thereby giving investors access to better information. However, there is a strong possibility that the final rules will cause companies to file cautionary disclosures, forcing investors to sift through more noise to find meaningful information.
To minimize the risk of SEC enforcement actions and litigation, registrants must develop plans and procedures for (1) updating the disclosure in their annual reports and (2) determining whether a cybersecurity incident affecting the organization is material or not.
Part I of this series discusses the compliance dates and the SEC’s new definitions pertaining to cybersecurity. Parts II and III will offer suggestions for making disclosures in annual reports and material cybersecurity incidents, respectively.
The Compliance Dates
The final rules go into effect on September 5, 2023, but there are three compliance dates in the final rules – one for annual reports, and two for reporting material cybersecurity incidents, depending on the size of the registrant. The compliance dates for the annual reporting and material cybersecurity incident disclosures are:
- Annual Reports for all registrants with fiscal years ending on or after December 15, 2023, must include disclosures regarding the companies’ risk management, strategy, and governance structure to address cybersecurity risks (Item 106 of Regulation S-K). This means calendar-year reporting companies must comply with the new rules in their upcoming annual reports.
- Disclosure of Material Cybersecurity Incidents
- All registrants other than “smaller reporting companies” must begin complying with the incident disclosure requirements on December 18, 2023 (Item 1.05 of Form 8-K).
- Smaller reporting companies must begin complying with Item 1.05 of Form 8-K on June 15, 2024.
The takeaway from these compliance dates is that all registrants have just over four months to internally evaluate their risk management programs, policies, procedures and governance structures and determine how to describe those items in their annual reports. Other than smaller reporting companies, registrants have a similar time constraint to internally evaluate their processes for determining whether a cybersecurity incident is material or not. Smaller reporting companies have an additional 180 days to evaluate their cybersecurity incident procedures.
Suggestion 1: Every registrant knows when its annual report is due, but no one can predict when a material cybersecurity incident is going to occur after December 18, 2023. Registrants other than smaller reporting companies should consider prioritizing developing or revising their processes for determining whether a cybersecurity incident is material and decide whether that activity can be leveraged when writing their annual reports.
Applying the SEC’s Cybersecurity Definitions to Future Events and Annual Reports
As discussed in detail in the next two sections, registrants are now required to describe material risks from cybersecurity threats and to disclose material cybersecurity incidents. The adopting release reaffirmed that the well-established definition of materiality under the federal securities laws should be used for cybersecurity incidents, namely that an event is material if:
There is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the ‘total mix’ of information made available.
88 Fed. Reg. 51899-900. The adopting release also notes that doubts “should be resolved in favor of those the statute is designed to protect, namely investors.” Id. The SEC noted that the material impact of an incident may encompass a range of harms, some quantitative and others qualitative. In making the determination of materiality, a lack of quantifiable harm does not necessarily mean an incident is not material. The SEC provided an example of this determination by noting that a cybersecurity incident that results in the theft of information may not be deemed material based on quantitative financial measures alone, but it may in fact be material given the impact to the registrant that results from the scope or nature of harm to individuals, customers, or others, and therefore may need to be disclosed. The SEC also noted that an incident that results in “significant reputational harm” may not be readily quantifiable and therefore may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material. Id. at 51906.
The addition of Item 106 to Regulation S-K (encoded at 17 CFR § 229.106) adds definitions for information systems, cybersecurity incidents and cybersecurity threats. Although these definitions were modified slightly in response to public comments, several areas of ambiguity remain.
The final rules define Information Systems to be:
- the electronic information resources, owned or used by the registrant,
- including physical or virtual infrastructure controlled by such information resources, or components thereof,
- organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the registrant’s information to maintain or support the registrant’s operations.
The SEC’s definition of information systems is problematic because it does not specifically mention or exclude operational technology systems. In fact, the adopting release confirms that the SEC “decline[s] to define operational technology as suggested by some commenters because the term does not appear in the rules we are adopting.” Presumably, this comment would mean that registrants’ operational technology systems are not covered by the final rules. However, the SEC also stated that the definition of a cybersecurity incident (on or through a registrant’s information systems), should be construed broadly to encompass a range of event types (potentially including an accidental exposure of data) and includes “a series of related unauthorized occurrences….” See generally 81 Fed. Reg. 51915-917. As a result, it is possible that Item 1.05 of Form 8-K could be triggered by a series of related occurrences that are each on their own immaterial but are deemed material in the aggregate. If factual circumstances drive this possibility, that outcome would ironically contradict the SEC’s decision to omit from the materiality analysis the aggregation of immaterial incidents. Id. at 51898.
The fact that the SEC declined to address cyber risks for operational technology highlights one of the pitfalls registrants will face when applying these definitions. The final rules place the disclosure burdens on the registrants that buy/lease/use the information systems, not the entities that manufacture the systems. At a time that the National Cybersecurity Strategy is redirecting cybersecurity obligations to the companies best suited to defend the cyber ecosystem, the SEC has put a reporting burden on the customers that purchase these information systems and their associated software and applications.
Suggestion 2: Registrants that own, operate, and use operational technology systems in addition to information systems should perform an asset inventory to document what devices and information are subject to the final rules, and what devices and information are outside the rules’ scope.
A cybersecurity incident is defined as:
- an unauthorized occurrence or series of related unauthorized occurrences on, or conducted through, a registrant’s information system,
- that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
Similarly, a cybersecurity threat is defined as:
- any potential unauthorized occurrence on, or conducted through, a registrant’s information system,
- that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
Read together, the three new definitions potentially misdirect the reporting obligations away from the actual source of the risk (product manufacturers and software developers) and onto the registrants that installed the product onto their information systems. It seems that the SEC’s focus was on ‘traditional data breaches’ where malicious cyber actors can or do affect the confidentiality, integrity or accessibility of company data, and less so on situations where software or hardware vulnerabilities are detected but the actor has yet to attack a company’s information system.
For example, if the SEC’s requirements had been in effect when the Orion, log4j or MOVEit vulnerabilities were disclosed, only one of those developers would have been subject to the SEC’s disclosure requirements. Instead, the reporting burden would have fallen on the registrants who installed the products onto their systems and are subject to an SEC enforcement regime that protects investors, not the US economy writ large.
When the SEC’s materiality standard is applied to cybersecurity incidents and cybersecurity threats, management must engage in a subjective exercise of forward-looking speculation because a cybersecurity incident merely has to jeopardize (with no requirement to actually harm) the information system or data residing therein, and a cybersecurity threat is one that may result in adverse effects on those systems or data (even if the actual harm never materializes). Registrants must then use those definitions to predict whether a reasonable shareholder will consider the degree of jeopardy or potential adverse effects to be important when making investment decisions. Further complicating this problem is not knowing what level of cybersecurity knowledge the SEC attributes to a reasonable shareholder, and whether that attribution is given to individual or institutional investors.
Suggestion 3: The definitions of cybersecurity threats and cybersecurity incidents are focused on unauthorized access to the information systems owned or used by the registrant. When faced with a data incident within a registrant’s own corporate network, the SEC’s definitions clearly apply, and a materiality determine should be done. However, when a software or hardware vulnerability is announced publicly, and that software or hardware reside on the registrant’s corporate network, an incident might not have occurred yet. Corporate leaders should (a) ask whether software and firmware patches are up to date, (b) ask whether the associated data is protected by zero-trust and/or two-factor authentication to assess the immediate risk to the company’s network, and (c) utilize Cyber Threat Intelligence (“CTI”) feeds to evaluate the likely intentions of malicious actors.
The National Institute of Standards and Technology (“NIST”) notes that CTI feeds provide indicators (system artifacts or observables associated with an attack), tactics, techniques and procedures (TTPs) used by malicious cyber actors, security alerts and recommended security tool configurations that can mitigate the adverse consequences or harms posed by one or more threats. CTI often takes into account malicious cyber actors’ capabilities and intent along with the technological analysis, and allows defenders to make better informed decisions. However, to effectively leverage a CTI feed and provide context to a vulnerability, a company normally must add the CTI tool(s) to its incident response planning toolbox in advance of a problem.
In Parts II and III we will discuss ideas for preparing the new required disclosure in a registrant’s annual report, followed by ideas for disclosing material cybersecurity events within the SEC’s timeline.
 See NIST Special Publication 800-150.