3.10 Cybersecurity

On July 26, 2023, the SEC issued a final rule that requires registrants to provide enhanced and standardized disclosures regarding “cybersecurity risk management, strategy, governance, and incidents.” As noted in Section 3.3.2.1, the new requirements established by the final rule include those related to (1) disclosures of material cybersecurity incidents on Form 8-K and (2) annual cybersecurity disclosures on Form 10-K. All types of periodic SEC filers are affected by the final rule.

In a manner similar to the SEC staff’s review of a registrant’s compliance with other new disclosure rules, the staff may perform targeted reviews of a registrant’s initial cybersecurity disclosures under the final rule. However, in a December 14, 2023, statement on cybersecurity disclosure, then Division Director Erik Gerding noted that the “Division does not seek to make ‘gotcha’ comments or penalize foot faults” and indicated that the Division plans to issue forward-looking comments “to the extent appropriate.”

When assessing materiality in accordance with the final rule, registrants are reminded to consider not only the quantitative impacts of a cybersecurity incident, but also the qualitative impacts. For example, as stated in the final rule, a registrant should “consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.”

3.10.1 Form 8-K Disclosure Requirements

Examples of SEC Comments

We note that at the time of filing, the full scope, nature and impact of the unauthorized occurrences were not yet known. Additionally, while it had and was expected to be reasonably likely to continue to have a material impact on your business operations, you had not yet determined whether the incident is likely to materially impact your financial condition or results of operations. When you file your amended Form 8-K pursuant to Instruction 2 to Item 1.05 of Form 8-K, please also expand your disclosure to address the following items:
- expand your discussion to describe the scope of your business operations impacted; and
- describe the known material impact(s) the incident has had and the material impact(s) that are likely to continue.
  
  In considering material impacts, please describe all material impacts. For example, consider vendor relationships and potential reputational harm related to stolen data and unfulfilled orders, as well as any impact to your financial condition or results of operations.
We note the statement that you expect the cybersecurity incident will have a material impact on the fourth quarter . . . results of operations, but that you do not believe the incident will have a material impact on your overall financial condition or on your ongoing results of operations. Please advise us whether you filed this amended Form 8-K pursuant to Instruction 2 to Item 1.05 and confirm, if true, that you determined the incident was material to you under the standard in cases addressing materiality under the securities laws, including TSC Industries, Inc. v. Northway, Inc. Additionally, please clarify in future filings any known material impact(s) that are likely to continue after the fourth quarter. In considering material impacts, please describe all material impacts. For example, consider customer relationships, potential reputational harm, and the impact due to exfiltrated data, whether or not from non-production systems.
We note the statement you experienced a cybersecurity incident . . . . Please advise us as to why you determined to file under Item 1.05 of Form 8-K given the statement that you have not yet determined whether the incident is reasonably likely to materially impact your financial condition or results of operations.
Please tell us whether or not this incident is a material cybersecurity incident under Item 1.05(a) of Form 8-K. If you determined the cybersecurity incident to be material, please describe all material impacts or reasonably likely material impacts on the company as required by Item 1.05(a) . . . . [C]ompanies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. For example, consider impacts on customer relationships, competitiveness, and potential reputational harm related to the cybersecurity incident. If you did not determine the cybersecurity incident to be material, please provide an analysis supporting your conclusion and advise us as to why you filed under Item 1.05 of Form 8-K rather than Item 8.01 of Form 8-K.
We note your disclosure that as of the date of the amendment, “the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” . . . Please confirm that, in future filings, where you have not determined if the incident has had a material impact to the company or is reasonably likely to have a material impact to the company, including its financial condition and results of operations, you will consider filing disclosures under Item 8.01 of Form 8-K, rather than Item 1.05 of Form 8-K.

The final rule amends Form 8-K to add Item 1.05, “Material Cybersecurity Incidents,” which requires a registrant to file a Form 8-K to disclose a material cybersecurity incident within four business days from the date on which the registrant determines that the incident is considered material to the registrant. Under Form 8-K, Item 1.05, a registrant must disclose the following information about the cybersecurity incident if known at the time of the filing:

“[T]he material aspects of the nature, scope, and timing of the incident.”
“[T]he material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”

Any material impacts of a cybersecurity incident, even if only qualitative, are to be disclosed under Item 1.05 of Form 8.K within four business days of a materiality determination by the registrant.

The registrant must also provide disclosures if any of the above required information is not determined or is unavailable at the time of the filing. In such a case, the registrant must seek to obtain the information without unreasonable delay and file an amended Form 8-K containing the information within four business days of when the information is determined or becomes available. An amended Form 8-K may similarly be required if the registrant subsequently determines that information previously provided is inaccurate or materially misleading.

On May 21, 2024, Mr. Gerding issued a statement “to encourage the filing of . . . voluntary [cybersecurity] disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents.” In the statement, he advised registrants to (1) reserve Item 1.05 of Form 8-K for disclosures of material cybersecurity incidents and (2) use Item 8.01 of Form 8-K to voluntarily disclose cybersecurity incidents that have not been determined to be material or for which no materiality determination has yet been made.

Since the SEC’s release of the final rule, the Division has issued various C&DIs to elicit decision-useful information for investors related to the new Form 8-K disclosure requirements. The C&DIs clarify matters pertaining to (1) temporary Form 8-K filing delays obtained or requested from the U.S. attorney general or U.S. Department of Justice on the grounds that a cybersecurity disclosure would pose a substantial risk to national security or public safety and (2) materiality considerations in the event of ransomware attacks.

The SEC staff has generally been reviewing all Item 1.05 Forms 8-K filed and has observed that registrants have sufficiently disclosed the quantitative impacts of material incidents. However, the staff has emphasized that the cybersecurity rule itself requires disclosures of both quantitative and qualitative impacts on the registrant and has encouraged registrants to consider qualitative impacts, including reputational damage and effects on material contracts or customer relationships, among others, in their disclosures.

3.10.2 Annual Form 10-K Disclosure Requirements

Examples of SEC Comments

We note the following statements [in your annual report on Form 10-K]:
- “We have not currently engaged any third party service providers to support, manage, or supplement our cybersecurity processes.”
- “The Audit Committee periodically receives updates from management and our third party IT support specialists of our cybersecurity threat risk management and mitigation strategies covering topics such as data security and potentially material cybersecurity threat risks or incidents, as well as the steps management has taken to respond to such risks.”
- “In such sessions, the Audit Committee . . . discusses such matters with our third party IT support specialists and other members of senior management.”
These statements appear inconsistent. Please revise future filings to clarify whether you engage assessors, consultants, auditors or other third parties in connection with your processes for assessing, identifying and managing material risks from cybersecurity threats as required by Item 106(b)(1)(ii) of Regulation S-K.
We note the statement . . . that cybersecurity risk management has been and remains a key aspect of your “overall business strategy, financial planning and capital allocation and a point of ongoing emphasis at all levels.” Please revise future filings to disclose whether and how your processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into your overall risk management system or processes. See Item 106(b)(1)(i) of Regulation S-K.
We note your senior leadership is responsible for the day-to-day management of cybersecurity risk and the design and implementation of policies, processes and procedures to identify and mitigate this risk. Please revise future filings to discuss the relevant expertise of such members of senior management as required by Item 106(c)(2)(i) of Regulation S-K.
We note that leaders from your information security, compliance and legal team oversee cybersecurity risk management. Please revise future filings to provide the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise as required by Item 106(c)(2)(i) of Regulation S-K.
We note your Chief Information Security Officer (CISO) is responsible for developing and implementing your information security program. We also note the Information Security Oversight Committee (ISO) “oversees [your] cybersecurity program from a management perspective.” We also note that you describe the relevant expertise of your CISO but not of the other members of the ISO. Please revise future filings to discuss the relevant expertise of such members of senior management as required by Item 106(c)(2)(i) of Regulation S-K.
We note the description of your processes for assessing, identifying, and managing material risks from cybersecurity threats. Please revise to address whether you engage assessors, consultants, auditors, or other third parties in connection with any such processes. See Item 106(b)(1)(ii) of Regulation S-K.
We note your disclosure that your third-party service providers are under constant threat of cybersecurity attack. Please revise to disclose whether you have processes to oversee and identify risks from threats associated with your use of such third party services providers. Refer to Item 106(b)(1)(iii) of Regulation S-K.

The final rule adds Item 106, “Cybersecurity,” to Regulation S-K. The annual disclosures required by Item 106 are to be provided in Part I of Form 10-K in Item 1C, “Cybersecurity.” As described in the final rule, these annual disclosures pertain to (1) cybersecurity risk management and strategy, (2) “management’s role in assessing and managing material risks from cybersecurity threats,” and (3) “the board of directors’ oversight of cybersecurity risks.”

At the 2024 AICPA Conference, the SEC staff discussed observations from its review of a sample of the disclosures required in Form 10-K. It highlighted that the SEC’s disclosure requirements do not specify the processes that a registrant should have; rather, registrants are required to disclose information about the processes they do have. Further, the staff observed that most registrants stated in their disclosures that they had a cybersecurity risk management process; however, the staff advised registrants to further elaborate on that process in sufficient detail for a reasonable investor to understand what processes are in place, including processes to oversee the risk of cybersecurity incidents at third-party service providers. The staff also highlighted the requirement to disclose the expertise of the management personnel responsible for managing cybersecurity risk and that such disclosure should be provided for each individual when a group of individuals is responsible.

Other Deloitte Resources

July 30, 2023 (Updated December 19, 2023), Heads Up, “SEC Issues New Requirements for Cybersecurity Disclosures”

December 15, 2024, Heads Up, “Highlights of the 2024 AICPA & CIMA Conference on Current SEC and PCAOB Developments”