Companies must walk a fine line meeting SEC cyber disclosures

Companies will need to tread carefully to limit their risk as they prepare cybersecurity risk and governance disclosures with the Securities and Exchange Commission under new rules, Brock Dahl of Freshfields Bruckhaus Deringer told Legal Dive.

The SEC voted last week to finalize its cybersecurity rules after several years of development.

Under the headline requirement, companies have four days after determining they’ve had a material cyber incident to report to the SEC what happened on a new Form 8-K Item 1.05.

The rules also require companies to disclose as part of their annual 10-K and other filings what they’re doing to protect their business from cyber risks — and on this, getting the right balance between disclosing too much and not enough will be crucial, Dahl said.

Materiality

Companies are already required to let the SEC know if they’ve been the target of a material cyber incident, but there’s leeway in deciding what is and isn’t a reasonable amount of time to provide that notification. So, the big change is in the urgency.

Under the new Reg. S-K Item 106 requirement, the deadline is four days after determining there’s been a material incident, with an exception for national security or public safety risks.

Even with the deadline, companies have latitude because of the role they play in deciding what is, and isn’t, a material breach and how long it takes them to make that determination. The clock starts ticking once they make that determination.

What constitutes materiality for one company won’t be the same for another, Dahl said.

If you’re a software-as-a-service company whose business model is built around the data it collects, for example, what’s material is going to be different than for a company whose business model depends on, say, in-store sales with little online exposure.

Nor is there a concrete threshold that dictates what is and isn’t material.

So, the interplay between determining materiality and the amount of time it takes to make that determination can give companies some space on the incident notification.

Risk management and governance

For many companies, one of the trickier parts of the rules will be making the disclosures about their cybersecurity risk management and governance practices under the new Reg. S-K Item 106.

The key is to provide the same level of detail on that as they would for the other risks the company discloses, Dahl said.

If you provide too much detail, you can give bad actors a roadmap to what is and isn’t critical to the business and how you protect your operations, Dahl said, but if you provide too little, you won’t be giving the SEC what it’s looking for.

Dahl recommends looking at what your cybersecurity insurer is requiring as a condition of your coverage. Insurer requirements have become de facto industry standards across carriers, making them a good disclosure model.

At the same time, you should back up everything you disclose with internal documentation that fleshes out the details. That internal documentation stays with you. But by having it, you can support everything you’re saying if the SEC reaches out for more information.

The rules will take effect around September 1. The four-day incident notification requirement starts 90 days after the effective date. The risk management and governance disclosures start with the company’s 10-K or other required filing for the fiscal year ending on or after December 15, 2023.

Smaller companies get more time to comply, and foreign private companies are subject to different reporting forms but the requirements are equivalent to what U.S. companies must meet.