In brief

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”).

Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures in their periodic filings (e.g., Form 10-K) regarding cybersecurity risk management, strategy, and governance; (ii) issuers to report material cybersecurity incidents in a Form 8-K; and (iii) comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. The Final Rules differ from the Proposed Rules on certain issues, which we discuss below.

The timing of the effectiveness of the Final Rules is discussed below, but it is possible that disclosures of material cyber incidents on a Form 8-K or Form 6-K could be required by late December 2023. 

What Are Our Key Takeaways?

  • 4-Day Reporting Timeline for Material Cybersecurity Incidents. Like the Proposed Rules, the Final Rules require companies to disclose material cybersecurity incidents in a Form 8-K within four (4) business days of a determination that the incident is material. Importantly, the Final Rules clarify that companies must determine the materiality of an incident without unreasonable delay following discovery of an incident. Once a materiality determination is made, the company has four business days to file a Form 8-K.
  • “Cybersecurity Incident” is Broadly Defined. The Final Rules broadly define “cybersecurity incident” to include “a series of related unauthorized occurrences.” For the reasons noted below, the breadth of this definition will likely require management and their information security teams to continuously monitor both current and historic incidents in order to determine whether there is any “sameness” to these intrusions, or unauthorized occurrences.
  • Third-Party and Cloud Breaches are Included. Like the Proposed Rules, the Final Rules apply to cybersecurity incidents that materially impact the company when they occur on information systems “owned or used by” the company, including vendors’ systems and cloud infrastructure, regardless of where those servers reside. This is a broad definition that requires companies to assess promptly whether any vendors’ security incidents may cause a material impact to them.
  • SEC Backs Off of the Express “Aggregation” Requirement (Sort Of). The Proposed Rules would have required issuers to make disclosures of a series of previously undisclosed individually immaterial cybersecurity incidents, which in the aggregate have been determined to be material.  The Final Rules dropped the express aggregation requirement, but still require companies to monitor prior intrusions and compare them to present ones for disclosure purposes. Specifically, the Final Rules state that when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, disclosure may be required even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. In a statement accompanying the release of the Final Rules, Commissioner Hester Peirce raised concerns that the Final Rules don’t adequately address problems in this portion of the Proposed Rules, asking “[w]ill companies, under this new approach, nevertheless have to develop new costly systems to track immaterial events?” and noting that the Final Rules leave “related” undefined. SEC.gov | Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.  
  • What Must Be Reported In The Original Form 8-K/Form 6-K? Material aspects related to nature, scope and timing of the incident must be included in the disclosure, along with information regarding the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. If any of the aforementioned information is not determined or is unavailable at the time of filing, a statement to this effect must be included in the Form 8-K and the company must file an amendment to the Form 8-K containing such information within four business days after the information is determined or becomes available. Companies are not required, as they would have been under the Proposed Rules, to disclose whether an incident is ongoing, although the SEC notes that the nature of the incident may necessitate discussions of matters related to remediation like business value loss and asset loss.
  • Permissible Delay to the Four-Day Reporting Standard. Notwithstanding the above, companies may delay filing an Item 1.05 Form 8-K if the United States Attorney General (“AG”) determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The permitted delay will be up to 30 days following the date when disclosure would be required to be provided, however, this timeframe can be extended for an additional period of up to 30 days if the AG determines that the risk to national security or public safety continues to exist.
  • New Requirements to Disclose Cybersecurity Risk Processes. Companies will be required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in their annual reports on Form 10-K or Form 20-F, as applicable, under new Item 106 of Regulation S-K. Importantly, however, the Final Rules clarify that companies are not required to disclose specific or technical information about their planned response to cybersecurity incidents or specific information related to their cybersecurity systems, networks, or vulnerabilities in such detail that might impede the companies’ response to or remediation of cybersecurity incidents.
  • New Requirement to Disclose Management Cybersecurity Expertise. Under Item 106 of Regulation S-K, companies will also be required to describe in their annual reports on Form 10-K or Form 20-F, as applicable, their board of directors’ oversight of cybersecurity threats and risks, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats or incidents. The Final Rules do not, however, include the previously proposed requirement that companies disclose cybersecurity expertise of board members.
  • Continued Obligation to Disclose Cybersecurity Risks. Companies will be obligated to disclose their cybersecurity risks annually in their Form 10-Ks or Form 20-Fs, including with respect to any previous cybersecurity incidents that have materially affected the company or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. Companies also have an obligation to explain how such cybersecurity incidents either affected or are reasonably likely to affect the company.

When Do The Requirements Become Effective?

The Final Rules will become effective 30 days following publication of the adopting release in the Federal Register. Companies will be required to make the disclosure required under Item 106 of Regulation S-K with respect to their procedures to address cybersecurity threats and risk oversight structure beginning with annual reports on Form 10-K or 20-F, as applicable, for their first fiscal year that ends on or after December 15, 2023.  

The requirement to disclose material cybersecurity incidents on Form 8-K or Form 6- K, as applicable, will be applicable to all issuers (other than smaller reporting companies) on the later of the date that is 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies are given an additional 180 days from the effective date for non-smaller reporting companies to comply with this requirement.

What Should Companies Consider?

  • Board and Leadership Expertise. Companies will need to consider cybersecurity expertise among their management. And, while the Final Rules dispense with the proposed requirement to disclose board-level expertise, boards of directors need to be closely involved in the oversight of cyber risk. Companies will need to have processes and policies in place to exercise appropriate oversight of cybersecurity risk, including ensuring the board is informed about these risks. This will allow companies to make appropriate disclosures in their annual reports.
  • Implement Process to Identify Material Cybersecurity Incidents. In order to comply with the four-day reporting timeline, companies will need to establish a clear process through which the Information Security / Information Technology team can bring potentially material cybersecurity incidents to the attention of the legal team in a consistent and timely manner.  As a reminder, this process will likely be viewed by the SEC as a  necessary component of effective disclosure controls and procedures. This specifically includes monitoring to assess whether there is any reason to believe that a current cyber incident/intrusion being experienced by the company is related to past intrusions.  Pursuing breakdowns in these procedures as a stand-alone legal theory of liability is a favorite tool employed by SEC Enforcement in cyber disclosure enforcement actions 
  • Implement Process to Manage Cybersecurity Risks. In addition to establishing a well-oiled incident response process through which potentially material cybersecurity incidents are identified, companies will need to revisit all other processes and procedures related to the management of cybersecurity risks, including, for example, their Business Continuity and Disaster Recovery Procedures.
  • Review Contractual Obligations for Reporting Cybersecurity Incidents. Given that the Final Rules apply to cybersecurity incidents that materially impact the company when they occur on information systems “owned or used by” the company, including vendors’ systems and cloud infrastructure, companies should review their agreements with third parties such as vendors, to ensure that they will be notified in a timely manner of cybersecurity incidents that may be material.
Author

Jerome has extensive experience representing clients in government litigation and enforcement investigations before the SEC, DOJ, various United States Attorneys Offices and the Commodities Futures Trading Commission .

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cyrus Vance Jr. is a partner in Baker McKenzie's North America Litigation and Government Enforcement Practice as well as the Firm's Global Compliance and Investigations Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice.

Author

Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.

Author

Chris counsels NYSE and NASDAQ-listed companies, foreign private issuers and their boards of directors on offerings of debt and equity securities, proxy contests, negotiated and contested mergers and acquisitions, joint ventures and strategic alliances.

Author

Peter represents public companies, financial services firms, and other organizations in litigation, investigations, and regulatory actions by federal agencies. Former head of the SEC Chicago office's Municipal Securities and Public Pensions Unit, Peter also advises clients on compliance and regulatory matters impacting the municipal securities markets and investments by public pensions and other institutions. He is also a leading expert in advising companies and outside auditors in connection with SEC and other regulatory inquiries regarding financial restatements and disclosures.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

William (Widge) Devaney is a partner in the Firm's North America Litigation group in New York, Chair of the North American Government Enforcement Practice and Co-Chair of the Global Compliance and Investigations Group.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Brittney Justice is an associate in the Privacy and Security practice group advising global organizations on privacy and data security compliance requirements. Brittney is recognized by the International Association of Privacy Professionals as a Certified Information Privacy Professional.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Teresa advises on all aspects of dispute resolution, primarily complex business disputes, class actions, intellectual property and international arbitration. She is the Co-Chair of the North American Class Action Subgroup.

Author

Ashley advises multinational companies on global and domestic transactional matters, including mergers and acquisitions, corporate reorganizations and other strategic transactions.

Author

Mariana Oliver is an associate based in Baker McKenzie's Intellectual Property & Technology Group based in Chicago.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Sara Pitt is an associate in Baker McKenzie's Los Angeles office and a member of the Firm's Litigation and Government Enforcement practice. She represents foreign and domestic corporations involved in high-stakes commercial litigation, with a focus on cross-border disputes.

Author

Manisha is an associate in the Data Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.

Author

Fernanda Rodriguez is an associate in Baker McKenzie’s Intellectual Property & Technology Practice Group and resides in the Firm’s Houston Office. Fernanda focuses on intellectual property (IP) litigation and brand enforcement as well as matters involving data privacy and data protection.

Author

Elizabeth Roper is a partner in Baker McKenzie's North America Litigation and Global Dispute Resolution Practice. She is based in the New York office. Prior to joining the firm, Liz served in the Manhattan District Attorney's Office as Bureau Chief of the Cybercrime and Identity Theft Bureau (CITB). In this role, Liz directed the investigation and prosecution of all types of cybercrime impacting Manhattan, including sophisticated cyber-enabled financial crime such as identity theft, payment card fraud, and money laundering; network intrusions, hacking, ransomware, and "middleman" attacks; intellectual property theft; "dark web" trafficking of contraband; and the theft and illicit use of cryptocurrencies.

Author

Peter's principal areas of practice are corporate internal investigations, corporate compliance and complex business disputes.

Author

Sali provides advice on a broad range of corporate and securities matters to clients in various industries including healthcare, technology, real estate, energy, manufacturing, consumer products and travel.