3.10 Cybersecurity
On July 26, 2023, the SEC issued a final
rule that requires registrants to provide enhanced and
standardized disclosures regarding “cybersecurity risk management, strategy,
governance, and incidents.” As noted in Section
3.3.2.1, the new requirements established by the final rule include
those related to (1) disclosures of material cybersecurity incidents on Form 8-K and
(2) annual cybersecurity disclosures on Form 10-K. All types of periodic SEC filers
are affected by the final rule.
In a manner similar to the SEC staff’s review of a registrant’s compliance with other
new disclosure rules, the staff may perform targeted reviews of a registrant’s
initial cybersecurity disclosures under the final rule. However, in a December 14,
2023, statement on cybersecurity disclosure, Division Director Erik
Gerding noted that the “Division does not seek to make ‘gotcha’ comments or penalize
foot faults” and indicated that the Division plans to issue forward-looking comments
“to the extent appropriate.”
When assessing materiality in accordance with the final rule, registrants are
reminded to consider not only the quantitative impacts of a cybersecurity incident,
but also the qualitative impacts. For example, as stated in the final rule, a
registrant should “consider both the immediate fallout and any longer term effects
on its operations, finances, brand perception, customer relationships, and so on, as
part of its materiality analysis.”
3.10.1 Form 8-K Disclosure Requirements
Examples of SEC Comments
-
We note that at the time of filing, the full scope, nature and impact of the unauthorized occurrences were not yet known. Additionally, while it had and was expected to be reasonably likely to continue to have a material impact on your business operations, you had not yet determined whether the incident is likely to materially impact your financial condition or results of operations. When you file your amended Form 8-K pursuant to Instruction 2 to Item 1.05 of Form 8-K, please also expand your disclosure to address the following items:
-
expand your discussion to describe the scope of your business operations impacted; and
-
describe the known material impact(s) the incident has had and the material impact(s) that are likely to continue.In considering material impacts, please describe all material impacts. For example, consider vendor relationships and potential reputational harm related to stolen data and unfulfilled orders, as well as any impact to your financial condition or results of operations.
-
-
We note the statement that you expect the cybersecurity incident will have a material impact on the fourth quarter . . . results of operations, but that you do not believe the incident will have a material impact on your overall financial condition or on your ongoing results of operations. Please advise us whether you filed this amended Form 8-K pursuant to Instruction 2 to Item 1.05 and confirm, if true, that you determined the incident was material to you under the standard in cases addressing materiality under the securities laws, including TSC Industries, Inc. v. Northway, Inc. Additionally, please clarify in future filings any known material impact(s) that are likely to continue after the fourth quarter. In considering material impacts, please describe all material impacts. For example, consider customer relationships, potential reputational harm, and the impact due to exfiltrated data, whether or not from non-production systems .
The final rule amends Form 8-K to add Item 1.05, “Material Cybersecurity
Incidents,” which requires a registrant to file a Form 8-K to disclose a
material cybersecurity incident within four business days from the date
on which the registrant determines that the incident is considered material to
the registrant. Under Form 8-K, Item 1.05, a registrant must disclose the
following information about the cybersecurity incident if known at the time of
the filing:
-
“[T]he material aspects of the nature, scope, and timing of the incident.”
-
“[T]he material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
Any material impacts of a cybersecurity incident, even if only qualitative, are
to be disclosed under Item 1.05 of Form 8.K within four business days of a
materiality determination by the registrant.
The registrant must also provide disclosures if any of the above required
information is not determined or is unavailable at the time of the filing. In
such a case, the registrant must seek to obtain the information without
unreasonable delay and file an amended Form 8-K containing the information
within four business days of when the information is determined or becomes
available. An amended Form 8-K may similarly be required if the registrant
subsequently determines that information previously provided is inaccurate or
materially misleading.
On May 21, 2024, Mr. Gerding issued a statement “to encourage the filing of . . . voluntary
[cybersecurity] disclosures in a manner that does not result in investor
confusion or dilute the value of Item 1.05 disclosures regarding material
cybersecurity incidents.” In the statement, he advised registrants to (1)
reserve Item 1.05 of Form 8-K for disclosures of material cybersecurity
incidents and (2) use Item 8.01 of Form 8-K to voluntarily disclose
cybersecurity incidents that have not been determined to be material or for
which no materiality determination has yet been made.
Since the SEC’s release of the final rule, the Division has issued various
C&DIs to elicit
decision-useful information for investors related to the new Form 8-K disclosure
requirements. The C&DIs clarify matters pertaining to (1) temporary Form 8-K
filing delays obtained or requested from the U.S. attorney general or U.S.
Department of Justice on the grounds that a cybersecurity disclosure would pose
a substantial risk to national security or public safety and (2) materiality
considerations in the event of ransomware attacks.
3.10.2 Annual Form 10-K Disclosure Requirements
Examples of SEC Comments
-
We note the following statements [in your annual report on Form 10-K]:
-
“We have not currently engaged any third party service providers to support, manage, or supplement our cybersecurity processes.”
-
“The Audit Committee periodically receives updates from management and our third party IT support specialists of our cybersecurity threat risk management and mitigation strategies covering topics such as data security and potentially material cybersecurity threat risks or incidents, as well as the steps management has taken to respond to such risks.”
-
“In such sessions, the Audit Committee . . . discusses such matters with our third party IT support specialists and other members of senior management.”
These statements appear inconsistent. Please revise future filings to clarify whether you engage assessors, consultants, auditors or other third parties in connection with your processes for assessing, identifying and managing material risks from cybersecurity threats as required by Item 106(b)(1)(ii) of Regulation S-K. -
-
We note your senior leadership is responsible for the day-to-day management of cybersecurity risk and the design and implementation of policies, processes and procedures to identify and mitigate this risk. Please revise future filings to discuss the relevant expertise of such members of senior management as required by Item 106(c)(2)(i) of Regulation S-K .
-
We note that leaders from your information security, compliance and legal team oversee cybersecurity risk management. Please revise future filings to provide the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise as required by Item 106(c)(2)(i) of Regulation S-K.
The final rule adds Item 106, “Cybersecurity,” to Regulation
S-K. The annual disclosures required by Item 106 are to be provided in Part I of
Form 10-K in Item 1C, “Cybersecurity.” As described in the final rule, these
annual disclosures pertain to (1) cybersecurity risk management and strategy,
(2) “management’s role in assessing and managing material risks from
cybersecurity threats,” and (3) “the board of directors’ oversight of
cybersecurity risks.”