Publications
Article

New SEC Cybersecurity Disclosure Requirements Focus on Materiality, Governance and Supply Chain Matters

The Legal Intelligencer

On Dec. 14, 2023, Erik Gerding, director of the U.S. Securities Exchange Commission’s (SEC) Division of Corporation Finance, made a statement on cybersecurity disclosure in connection with SEC cybersecurity rules adopted in July 2023. This statement was issued right before compliance dates were coming up for public companies, including foreign private issuers, under these rules. Beginning on Dec. 18, 2023, all public companies (other than smaller reporting companies) are required to disclose material cybersecurity incidents in Item 1.05 of a Current Report on Form 8-K. Smaller reporting companies must begin complying with Item 1.05 of Form 8-K on June 15, 2024. A foreign private issuer is required to file Form 6-K with respect to material cybersecurity incidents that it discloses in a jurisdiction in which it is organized, to any stock exchange on which its securities are traded, or to its security holders. In addition, all public companies must disclose annually information regarding cybersecurity risk management, strategy, and governance in an annual report on Form 10-K or Form 20-F (for foreign private issuers) for the fiscal years ending on or after Dec. 15, 2023.

Cybersecurity is not a novel issue for the SEC. In 2011, the SEC Division of Corporation Finance, and in 2018 (Release No. 33-10459), the SEC, provided guidance on the application of disclosure rules that were then in effect to cybersecurity risks and incidents. However, the SEC’s Dec. 14, 2023, statement emphasized that its goal in adopting new cybersecurity rules was to “provide investors with the more timely, consistent, comparable, and decision-useful information they need to make informed investment and voting decisions.” This article focuses on how the SEC views materiality determinations for such disclosures, practical aspects of governance of cybersecurity matters, and implications of the SEC cybersecurity requirements for suppliers and vendors of public companies under the new SEC rule.

Materiality Determinations

Materiality determination is the cornerstone of the new cybersecurity disclosure requirements. For example, Form 8-K must be filed within four business days after the company “determines that it has experienced a material cybersecurity incident.” Such Form 8-K must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the [company], including its financial condition and results of operations.” In its annual report, a public company must describe its processes for “assessing, identifying, and managing material risks from cybersecurity threats,” as well as “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the [company], including its business strategy, results of operations, or financial condition.”

The materiality standard that a public company should use in connection with these disclosures is the “time-tested and familiar” test developed in case law and set forth in SEC rules— information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” It has been a long-standing SEC position that that a “materiality analysis is not a mechanical exercise,” and such analysis should take into consideration “all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors.” For example, the following qualitative factors may have a material impact on the company in addition to traditional quantitative, financial factors: “harm to a company’s reputation, customer or vendor relationships, or competitiveness,” the possibility of “litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”

Let us examine these three broad categories of material risk: regulatory, financial and reputational. Regulatory risk may be triggered by unauthorized disclosure of employee, customer, partner personal or trade secret information. Heightened regulatory scrutiny would occur if the event rose to the level of breach under the company’s incident response plan or if the failure of a control was identified in a third-party assessment and the company did nothing about it. Increased regulatory risk occurs if the incident creates disruption to the government, critical infrastructure or other companies in the supply chain. Short-term financial risk considers the costs associated with operational changes resulting from the incident and whether there are changes to forecasted revenue, expenses, profitability, valuations as a result of the incident.

Business continuity issues expose inherent failures in the company’s internal systems which may lead to investors questioning the long-term health of the business. Most material of all may be the reputational risk issues, which undermine an investor’s trust in the company. One should examine whether the circumstances of a cybersecurity incident contradict statements made by the company to investors or representations made in its customer contracts or on its website (for example, management had stated that patching was up to date yet a breach occurred due to lack of a critical security patch). Such reputational damage can lead to termination/nonrenewal of major customer contracts. Also, many breaches are first discovered and disclosed by investigative reporters further exposing company failures in not being vigilant in protecting its systems and data from harm.

Governance Disclosures

Under the new rules, a public company is required to make annual disclosures about its cybersecurity governance not only at the board of directors level, but also at the management level. It would need to “identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats,” as well as “describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.” The company must address “which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.” Such expertise may include, for example: “prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.”

The SEC did not include in the final rule its proposed requirement that public companies disclose whether any members of their board have cybersecurity expertise. The SEC has acknowledged that “effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.” However, the SEC still believes that if the company has determined that “board-level expertise is a necessary component” to its cyber-risk management, such company would likely provide such information in its new annual report disclosures without a specific SEC requirement.

Public companies also need to describe the processes by which:

  • the board of directors or its committee is informed about cybersecurity risks (for example, whether management reports information about such risks to the board of directors or a committee of the board of directors); and
  • management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents.

These new governance disclosure requirements are designed to prompt close communication among legal and IT management teams, as well as regular management reporting to the board or a committee of the board regarding cybersecurity matters. In his December 2023 cybersecurity statement, the director of the SEC Division of Corporation Finance recognized that compliance with new SEC rules “might involve fostering conversations among chief information security officers, a company’s other cybersecurity experts and technologists, the company’s disclosure committee, and those responsible for advising them on securities law compliance.”

Supply Chain Implications

Through its definitions of such terms as “cybersecurity incident” and “information systems” in the new rules, the SEC made it clear that public companies are not exempt from “providing disclosures regarding cybersecurity incidents on third-party systems they use,” and the SEC did not provide a safe harbor for information disclosed about third-party systems. 

While the SEC acknowledged that public companies have “reduced control” over such third-party systems, the SEC highlighted “the centrality of the materiality determination: whether an incident is material is not contingent on where the relevant electronic systems reside or who owns them.” The SEC believes that “a reasonable investor would not view a significant breach of a registrant’s data as immaterial merely because the data were housed on a third-party system, especially as companies increasingly rely on third-party cloud services that may place their data out of their immediate control. Instead, as discussed above, materiality turns on how a reasonable investor would consider the incident’s impact on the registrant.” In addition, a public company would need to disclose in its annual report whether it has “processes to oversee and identify … risks from cybersecurity threats associated with its use of any third-party service provider.”  

In order for public companies to make disclosures mandated by the new rules, the SEC cybersecurity requirements must flow down in contracts to companies’ suppliers and partners to ensure communication, transparency, and collaboration about cybersecurity risks in the supply chain. Contracts will require representations about the suppliers’ cyber maturity, such as prompt security incident reporting, ongoing risk assessments and compliance with security policies, and potentially termination of contracts in the event of a cyber incident caused by noncompliance.

"New SEC Cybersecurity Disclosure Requirements Focus on Materiality, Governance and Supply Chain Matters," by Sharon R. Klein and Yelena M. Barychev was published in The Legal Intelligencer on March 7, 2024.

Reprinted with permission from the March 7, 2024, edition of The Legal Intelligencer © 2024 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.