Scope
The final rule applies to all registrants other than asset-backed issuers.
Disclosure requirements – domestic registrants
Form 8-K: Cybersecurity incidents
Within four business days of determining that it has experienced a material cybersecurity incident, a domestic registrant is required to disclose in Item 1.05 of Form 8-K:
- Material aspects of the nature, scope, and timing of the incident
- The material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations
Crowe observation: The final rule indicates the late filing of an Item 1.05 Form 8-K will not cause the registrant to lose Form S-3 eligibility.
Any material information not known at the time of the initial Form 8-K filing or that updates previously disclosed information would be included in an amended Form 8-K. If disclosure within four business days would harm national security or public safety, the final rule provides a mechanism to delay disclosure, provided the U.S. Attorney General notifies the SEC in writing.
Crowe observation: The final rule indicates that when evaluating the materiality of a cybersecurity incident, registrants should apply the same concept of materiality used throughout SEC rules and regulations. Namely, information that is likely to influence a reasonable investor or would have significantly altered the “total mix” of information available is material. Stakeholders significantly commented on the proposed requirement to disclose when a series of previously undisclosed, individually immaterial cybersecurity incidents becomes material in the aggregate. Though the final rule acknowledges these stakeholder comments, it states the proposed requirement was deemed not necessary because the scope of the final definition of cybersecurity incident, which would trigger Form 8-K disclosure, includes a “series of related unauthorized occurrences.”
Annual reports on Form 10-K
Cybersecurity risk management, strategy, and governance
The final rule adds Item 106 of Regulation S-K, which requires disclosure of the registrant’s processes to assess, identify, and manage material risks from cybersecurity threats, including:
- Integration of the registrant’s cybersecurity processes into its overall risk management processes
- Engagement of any third parties, including consultants and auditors
- Processes in place to oversee material cybersecurity risks associated with the use of third-party service providers
Registrants must also disclose whether and how any cybersecurity-related threats, including previous cybersecurity incidents, have materially impacted or are likely to materially impact the registrant’s business strategy, results of operations, or financial condition.
For governance, the final rule requires registrants to describe:
- Board oversight of cybersecurity risk, including whether any board committee or subcommittee is responsible for overseeing cybersecurity risk and how the committee or subcommittee is kept informed of such risks
- Management’s role in assessing and managing material cybersecurity risks, including:
- Personnel or committees responsible for assessing and managing cybersecurity risk and their relevant expertise
- How management is informed about and monitors cybersecurity risks or incidents and whether management informs the board of cybersecurity risks
Crowe observation: The final rule eliminated certain prescriptive disclosures that were the subject of significant stakeholder comment (for example, whether the board includes a cybersecurity expert).
Foreign private issuers (FPIs)
FPIs are subject to similar disclosure requirements in Form 6-K for material cybersecurity incidents and in annual reports on Form 20-F.
XBRL
Registrants must tag the new disclosures using inline extensible business reporting language (XBRL).
Effective date and transition
The final rules become effective 30 days after publication in the federal register with compliance dates as follows:
Disclosure
|
Filer status
|
Compliance date
|
Material cybersecurity incidents
(Form 8-K or Form 6-K)
|
Non-smaller reporting companies (non-SRCs)
|
Later of 90 days after publication in the federal register or Dec. 18, 2023
|
SRCs
|
Later of 270 days after publication in the federal register or June 15, 2024 |
Cybersecurity risk management, strategy, and governance (Form 10-K or 20-F)
|
All registrants
|
Annual reports for fiscal years ending on or after Dec. 15, 2023
|
XBRL tagging requirements have later compliance dates:
- Material incident disclosure tagging begins the later of 465 days after publication in the federal register or Dec. 18, 2024.
- Cybersecurity risk management, strategy, and governance disclosure tagging begins in annual reports for fiscal years ending on or after Dec. 15, 2024.
Near-term considerations for management and those charged with governance
- Planning. Has management established a framework to assess the materiality of potential cybersecurity incidents? Does management have adequate resources to meet the four-day material incident reporting requirement? In the event of a material cybersecurity incident, will management engage the services of third-party consultants (for example, cybersecurity specialists or legal counsel)?
- Communication. Are individuals at all levels of the company aware of the new reporting requirements and their responsibility to report incidents to management and those charged with governance?
- Governance. Is oversight of cybersecurity risk assigned to individuals with the appropriate expertise and background? Should the board engage a third party to serve in an advisory capacity to oversee risk? Would continuing education on cybersecurity risks enhance the board’s oversight? Should cybersecurity risk oversight be taken on by the board as a whole or through an assigned committee? How will management and the board interact and communicate about cybersecurity risks and incidents?
- Controls. Should management reassess the design of its disclosure controls and procedures in response to the final rules? How will related unauthorized occurrences be identified and communicated? Does management have the appropriate processes in place to oversee cybersecurity risks associated with the use of third-party vendors?