What Are the Details of the Key Requirements?
Form 8-K: Timely Incident Reporting
The addition of Item 1.05 to Form 8-K introduces a crucial change in the required disclosure process. Organizations must report material cybersecurity incidents—including details on the timing of the incident, impact or likely impact, and other details—within four business days of a materiality determination of the incident made without unreasonable delay.
This change hinges on another amendment that updates the definition of an incident.
Broad Definition of “Cybersecurity Incident”
In support of the new Item 1.05, the final rules adopt a broader definition of a “cybersecurity incident,” extending it to “a series of related unauthorized occurrences.” This accomplishes two things. First, it recognizes that the full scope or impact of a cyberattack doesn’t always surface or occur all at once. Second, it enables multiple incidents that may not be individually “material” (such as small-scale repeat attacks by the same malicious actor) to constitute a single material impact, making them subject to Item 1.05.
Temporary Delay in Reporting
Registrants may delay filing under Item 1.05 if the US Attorney General determines that the disclosure of an incident could pose a substantial risk to national security or public safety. The Attorney General must notify the SEC in writing. The initial extension of 30 days can be extended with notice an additional 30 days, and a further additional 60 days, if the AG determines that disclosure continues to pose such risks. Filing extensions beyond a total of 120 days require an SEC exemptive order.
Updated Incident Disclosures
To help ensure investors get more complete and relevant information about an organization’s risks, as part of Form 8-K disclosure, registrants must identify any information required by Item 1.05 that they have not yet determined or been able to obtain. Subsequently, when this information becomes available, registrants must file a Form 8-K amendment detailing such information.
When the required information for the Item 1.05 Form 8-K disclosure is not yet ascertainable or available at the time of filing, the company must acknowledge this fact in the Form 8-K and subsequently file an amendment within four business days after obtaining the missing information. Notably, subsequent periodic filings will not necessitate updates based on this information.
Aggregation of Incidents
The concept of cybersecurity incident aggregation is a noteworthy change from the proposed rules. While the requirement to disclose individually immaterial incidents has been omitted, the new, broader definition of a cybersecurity incident encompassing “a series of related unauthorized occurrences,” enables a more comprehensive overview of incident-related disclosures.
Form 10-K: Cybersecurity Risk Management, Strategy, and Governance
Starting with annual reports for fiscal years ending on or after December 15, 2023, Regulation S-K Item 106 requires registrants to describe how they assess, identify, and manage material risks from cyberthreats, as well as the effects—or likely effects—of those risks on their business strategy, results of operations, or financial condition.
Registrants also must describe the board’s oversight of cybersecurity risks.
Disclosure of Management’s Role and Responsibilities
Another measure of Item 106 requires registrants to report on management's role in assessing and managing material risks, including the positions or committees responsible, the relevant expertise of those parties, their monitoring processes, and whether they report their findings to the board of directors or a board committee.
The SEC considered but ultimately did not implement a new disclosure requirement for registrants to report the cybersecurity expertise of board members in addition to management, asserting that the other required disclosures under Item 106 were sufficient to inform investors.
Foreign Private Issuers
Form 6-K and Form 20-F for FPIs now require material incident, risk management, strategy, and governance disclosures comparable to those required of domestic registrants under the new Item 106 and Item 1.05.
The SEC believes these new cybersecurity disclosure requirements will support investors in making better-informed investment decisions in relation to FPIs, stating in the final amendment notes that “FPIs' cybersecurity incidents and risks are not any less important ... than those of domestic registrants.”
Structured Data Requirements
Registrants are now required to tag the new disclosures in Inline eXtensible Business Reporting Language (Inline XBRL) format—which is already part of certain other disclosure mandates—to “enable automated extraction and analysis of the information required by the final rules, allowing investors and other market participants to more efficiently identify responsive disclosure, as well as perform large-scale analysis and comparison of this information across registrants.”
However, the SEC has delayed the date of compliance with these new structured data requirements by one year beyond that of the disclosure requirements.