SEC Creates Bigger Cyberbreach Role For General Counsel

Back in July, the Securities and Exchange Commission (SEC) announced a significant regulatory development aimed at enhancing cybersecurity disclosures for public companies in the United States. According to the National Law Review, the ruling is now set to come into effect on September 5, 2023.

The driving factor for this regulatory action is the exponential growth in corporate cybersecurity risks, fueled by the widespread adoption of digital technologies, artificial intelligence, the shift to hybrid work models, the proliferation of cryptocurrency assets, and the escalating threat of ransomware and data theft. In response to these growing concerns, the SEC has mandated standardized and improved disclosures regarding cybersecurity risk management, strategy, governance, and incidents.

SEC Chair Gary Gensler emphasized the importance of these new requirements, noting that incidents like cybersecurity breaches can be just as material to investors as other forms of damage like factory fires. The goal is to provide investors with timely, consistent, and understandable information about cybersecurity, ultimately benefiting both companies and investors.

The new rules have three main components:

Form 8-K Material Cybersecurity Incident Reporting: Companies must promptly disclose material cybersecurity incidents on Form 8-K, providing detailed information about the incident’s nature, scope, timing, and impact. This disclosure must occur within four business days of identifying the incident as material.

Form 10-K Annual Disclosures: Companies must outline their processes for identifying, assessing, and managing cybersecurity risks in Form 10-K, along with describing the board of directors’ oversight of such risks and management’s role in addressing them.

Foreign Private Issuers: Foreign private issuers must also disclose material cybersecurity incidents using an amended Form 6-K and provide information on cybersecurity risk management, strategy, and governance through Form 20-F.

While the new requirements seem straightforward, the precise definitions of terms such as “cybersecurity incident,” “cybersecurity threat,” and “materiality” will be crucial for compliance.

The SEC’s final rule differs in several ways from the initial proposed rule, including narrowing the scope of disclosures, streamlining disclosure elements, and omitting the requirement to disclose the cybersecurity expertise of the board. Transition provisions have also been added to facilitate compliance with the new rules.

This regulatory change represents a significant step toward ensuring that investors receive comprehensive and standardized information about cybersecurity risks and incidents, aligning with the evolving digital landscape and its associated challenges.