Article
New SEC cyber incident disclosure marks first-time cybersecurity disclosure requirement across the capital markets
Aug. 4, 2023 · Authored by Joe Shusko, Jim Kearney, Jeff Maffitt
The U.S. Securities and Exchange Commission (SEC) has twice previously provided interpretive guidance on cyber incident disclosure (in 2011 and 2018) but neither created a new disclosure requirement. Now, over a year after proposing a rule to heighten cybersecurity disclosure requirements, the SEC released its final rule on July 26, 2023 (Release No. 33-11216). After reviewing over 150 comment letters submitted by registrants and other stakeholders, the SEC’s final rule narrows the scope of disclosure, but emphasizes their position on the importance of timely and consistent information provided to investors related to cybersecurity. To ensure compliance, companies need to evaluate their current cybersecurity governance and incident response practices, and ensure they are appropriately considered in their disclosure procedures.
Here's what you need to know
The final rule includes multiple new disclosure requirements; these disclosures generally fall into one of three categories:
1. Disclosure of material cyber incidents
The most significant change is the disclosure on the new Item 1.05 of Form 8-K. The SEC’s press release states that registrants disclose “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” Registrants will not be required to disclose the remediation status of an incident, whether it was ongoing, or whether data were compromised. Nor will they be required to disclose “specific or technical information about their planned response” which was a concern raised by many commenters. However, within four business days of determining they were subject to a material cyber incident, registrants are required to file an Item 1.05 Form 8-K (except in cases of substantial risk to national security or public safety as determined by the attorney general, which would afford registrants an extended disclosure period).
