SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

The U.S. Securities and Exchange Commission has published a press statement to announce the finalization of new regulation as regards the publication of information on cybersecurity incidents and on policies and procedures that firms have in place to manage risks in this context. The final rule thereby applies to registration filings, periodic publications of public companies, and shareholder notifications under Regulation S-K and Regulation S-T.
#### Background
In March 2022, the SEC launched a consultation in which it proposed to require enhanced disclosures of public companies in view of increasing risks pertaining to cybersecurity of supervised firms (please see EventID 15074 in this context). The requirement would encompass both disclosures on incidents themselves, as well as on risk management policies and procedures.
Specifically, the SEC suggested that public companies must report significant cybersecurity incidents by filing revised Form 8-K (current reports) within four days of confirming the incident’s occurrence. An incident would considered „material“ if it is likely to be important for a reasonable shareholder. The SEC also included a list of incident types it would consider material. The filed information would include the incident’s date, a brief description, its operational impacts, the nature of the incident (e.g. data theft), and whether any remediation efforts have been undertaken. Private foreign issuers would have to disclose these incidents on revised Form 6-K.
Firms would also be required to provide updates on previous incidents or if an incident has been reclassified from non-material to material due to the overall frequency of incidents. Such disclosures would be made on Form 20-F and Form 10-K in the context of the annual reports (new data items would be inserted).
In the context of mandating the disclosure the cybersecurity risk management policies and procedures, the Commission proposed to require companies to describe their policies and procedures related to identifying and managing risks from cybersecurity threats in Form 20-F. Firms would thereby be required to clarify whether cybersecurity is integrated into their business strategy, financial planning, and capital allocation. They would also have to provide information pertaining to cybersecurity oversight and governance, such as responsible persons, management expertise, and the timing / frequency of reporting such information to the Board of Directors – whose competence would also have to be demonstrated.
#### Feedback and final rule
The SEC has received much feedback on the proposed new rule. Most respondents agreed with the overall intention of the SEC and the rule in general, although mixed views were presented on individual suggestions. As a consequence, the SEC has somewhat modified the final rule compared to the one proposed. The key modifications are briefly outlined below:
(1) Reporting on current incidents on Form 8-K and Form 6-K of foreign issuers:
The SEC will refrain from requiring firms to disclose the remediation status of an incident and any indication of whether or not the incident is still ongoing or compromised data. In this context, the SEC will also refrain from requiring technical details on firms‘ planned remedial actions, if such information would „impede the registrant’s response or remediation of the incident“. Also, the SEC will permit a delay in the disclosures if the „United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing“.
The SEC will also NOT proceed with its requirement to file new data Item 106(d)(1) on Form 20-F or 10-K to provide an update on incidents following the initial filing of Form 8-K / Form 6-K. However, firms will have to resubmit an amended Form 8-K or 6-K, if they become aware of any material omissions or the publication of wrong information in the initial filing, or if any material changes have occurred since the initial filing. As a consequence and due to the fact that nearly all (99%) 10-K filers already make disclosures about material cyber incidents and related policies and procedures, no further changes to Form 10-K will be required.
(2) Reporting on cybersecurity risk management and related policies and procedures:
The SEC has revised terminology to clarify that it does not expect highly detailed disclosures „on how a company plans for, defends against, and responds to cyberattacks“ as such disclosures may pose further risks to companies. Moreover, the SEC has removed the list of risk types such as intellectual property theft, fraud, litigation, or reputational risk to be considered in the reports of firms as each company best knows which type of risk is most prevalent within its organization and shall thus be reported on. Also, the SEC will NOT proceed to require firms to report on their policies pertaining to prevention and detection activities, continuity and recovery plans, and previous incidents.
As far as governance is concerned, the SEC has also somewhat reduced its reporting requirement by no longer mandating to inform of how cybersecurity has been integrated in a firm’s business strategy and oversight. Finally, the SEC refrains from reporting requirements as regards the frequency of discussions among Board members or committees pertaining to cybersecurity.
—
As the summary only presents the key modifications to the proposed rule, please refer to the enclosed final rule for more detailed, comprehensive information.