The Securities and Exchange Commission (“SEC”) has admonished companies to report material cybersecurity incidents in their public filings since 2011, but yesterday the SEC announced a new rule actually requiring disclosure of cybersecurity incidents and providing a standardized means and timeline for how and when companies should report such incidents.
Specifically, a new Item 1.05 of the 8-K will be required within four business days of when a registrant determines a cybersecurity incident has been material. Item 1.05 will require disclosure of “the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” In addition, registrants and foreign private issuers will be required to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents” on their annual filings (i.e., as applicable, on Form 10-K, Form 6-K and Form 20-F), which description must include how the company’s board of directors and management are involved in the assessment and management of material cybersecurity risks.
The timelines for compliance with this new rule are aggressive, with the Form 8-K and Form 10-K changes being applicable by December 15, 2023, leading Commissioner Hester M. Peirce to voice concern that, “[c]ompanies will have only months to align their internal disclosure processes with the new incident reporting requirements [and that] these disclosures may make companies vulnerable to attack” because they have little time to plan their disclosures and to take steps to mitigate adverse consequences.