In our highly connected world, technology and data have become increasingly material to most companies, regardless of industry or sector. As the value and importance of technology and data increases, so too do the risks and obligations associated therewith. On July 26, 2023, the Securities and Exchange Commission (“SEC” or the “Commission”) adopted its much-anticipated enhanced disclosure requirements regarding cybersecurity risks and incidents (the “Final Rules”) for all public companies including foreign private issuers (“FPIs”). The SEC initially proposed cyber rules in March 2022. As we recently reported, the Final Rules require registrants that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “1934 Act” or the “Exchange Act”) to, among other things, (i) disclose a material cybersecurity incident within four (4) business days of making a materiality determination, and (ii) disclose on an annual basis information regarding their risk management, strategy, and governance related to cybersecurity threats.
New Cyber-Specific Reporting Requirements
The Final Rules will explicitly require the filing of a Form 8-K (or Form 6-K for FPIs) to disclose material cybersecurity incidents within four (4) business days from determination that the cybersecurity incident is material. Public companies must make that materiality determination “without unreasonable delay.” The SEC has noted that a public company’s adherence to its normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance.
Pursuant to the Final Rules, any such disclosure must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operation” and if any such information is unavailable, the company must make a statement to that effect in its original filing. Furthermore, the Final Rules impose an updating requirement through the filing of an 8-K/A if certain information that was unknown or unavailable at the time of initial filing subsequently becomes available.
The Final Rules also require annual disclosures in the company’s Form 10-K (or Form 20-F for FPIs) regarding:
- The processes in place, if any, for assessing, identifying, and managing material risks from cybersecurity threats;
- Whether and how any such risks have materially affected or are reasonably likely to materially affect the company, its business strategy, results of operations, or financial condition;
- The Board’s oversight of risks from cybersecurity threats; and
- Management’s role in assessing and managing material risks from cybersecurity threats.
It is worth noting that in its adopting release, the Commission clarified that the Final Rules are intended to ensure that appropriate information is provided to investors, not “to influence whether and how companies manage their cybersecurity risk.” Rather than focus narrowly on substantive controls, the Final Rules emphasize the importance of cyber governance: strategy, oversight, implementation of appropriate controls, measurement of impact, and fulsome reporting.
Disclosure Obligations and DCPs
The general focus of such SEC reporting requirements, whether related to cybersecurity or otherwise, is to cause public companies to disclose to the investing public — keeping investors appropriately informed at the initial sale of securities, and on an ongoing basis, certain information. As SEC Chair Gary Gensler stated in the press release accompanying the Final Rules, “whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.”
The new explicit requirements for cyber-related disclosures sit within the existing SEC disclosure framework. SEC disclosure rules can generally be boiled down to two fundamental obligations: (i) an obligation that public disclosures not contain untrue statements; and (ii) a requirement that public companies not fail to disclose a material fact that, if omitted, would render a disclosure misleading.1 To help ensure that accurate and complete information is disclosed in reports filed with the SEC, pursuant to Exchange Act Rule 13a-15, public companies are required to maintain disclosure controls and procedures, and management must evaluate their effectiveness on a periodic basis.2
“Disclosure Controls and Procedures” (“DCPs”) are defined as controls and procedures that are designed to ensure that information that is required to be disclosed is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.3
The Commission’s 2018 Cybersecurity Guidance clarified that cybersecurity related DCPs should enable public companies to, among other things, identify cybersecurity risks and incidents, assess and analyze their impact on the company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. Since the prior guidance was issued, SEC cyber-related enforcement has focused on alleged deficiencies in cybersecurity related DCPs (e.g., failure to escalate information about the scope and impact of an ongoing cyber incident to senior management).
Understanding the Risks – Operational Risk v. Compliance Risk
When evaluating the performance of a business and the risks it faces, there are generally four principles to examine:
- Business strategy;
- Financial performance;
- Operational resiliency; and
- Legal compliance.
Business strategy and financial performance drive value, while operational resiliency and legal compliance are risk controls.
In assessing a public company’s material cyber threats and risks for disclosure, cyber professionals must not lose sight of operational resiliency risks, in addition to legal compliance risks for escalation to management. For example, the risk of a cyber incident impacting mission critical systems and causing business disruption is an operational resiliency risk that may trigger reporting obligations under the SEC rules, even if the company implements an incident response plan, takes steps to comply with “reasonable security” standards, provides notice in compliance with state data breach laws, and otherwise satisfies its legal compliance obligations.
Key cyber risks to note include a public company’s inability to:
- Identify, evaluate and understand its cyber environment (e.g., shadow IT and a lack of data mapping for critical systems or systems that can create material risks);
- Understand and/or see the risks, for example, due to a lack of visibility into the business processes, inability to understand interdependencies of the systems, and a lack of technology (such as logging and monitoring system activity);
- Understand and/or see the value that is implicated by the process or activity; and
- “Connect the dots.”
Considerations for Implementing More Robust Cyber DCPs
While DCPs, and their supporting cyber processes, will vary from company to company depending on the size of the company’s business, complexity of its data practices, and management structure, creating and documenting an escalation process related to cyber matters is essential for any company.
At the heart of risk governance is the need to get the right information to the right executives, at the right time. Without appropriate channels for escalating material risks, senior management and the board of directors will not know what information or systems their company has that are truly sensitive or material to operations, nor will they be able to evaluate the potential risks associated therewith. In many cases, material information is maintained in stove-piped verticals that do not talk to each other. Documenting thoughtful escalation processes and procedures, including what needs to be escalated and the cadence for these key conversations, will help to ensure that critical information is appropriately and efficiently shared with key stakeholders for making appropriate disclosure decisions.
In working to comply with the Final Rules, companies may wish to evaluate whether:
- Their disclosure committee charters, or in the absence thereof, any internal processes or policies a company has established for assessing its relevant disclosure obligations, are appropriate in scope and, as part of the decision-making process, expressly include those employees actually involved in managing and addressing cybersecurity threats and incidents;
- The cybersecurity risk and incident escalation criteria, timing, and contacts are sufficiently developed within the supporting cyber processes underlying their DCPs;
- Their current cybersecurity-related processes, policies and procedures, governance and risk management support the disclosures required by the Final Rules;
- The company’s information systems produce adequate information to inform decision-makers about the company’s processes and technology that have the potential to create material risks, and whether training around the same is sufficient;
- The current risk assessments provide an understanding of the business’s current risk posture (for both legal compliance risk and operational resiliency risk); and
- Their incident response plans are updated to include the new definitions from the Final Rules, incorporate new roles on the incident response team for a disclosure or similar committee member (if one exists), and align with new escalation criteria and timing for SEC disclosures.
Companies should also consider developing training on the Final Rules for senior management, the board of directors, the disclosure or any similar committee, and relevant cybersecurity / privacy personnel.
For more information on cybersecurity processes, or how public companies can prepare for compliance, please contact your DLA Piper relationship partner, the authors of this blog post, or any member of our Data Protection team.
 See, e.g., 15 U.S.C. §§ 78j(b) and 78m(a)(2); 17 C.F.R. § 240.12b-20.
 17 C.F.R. § 240.13a-15.