Applicable definitions

• Cybersecurity incident: An unauthorized occurrence, or series of unauthorized occurrences, on or conducted through a business's information systems that jeopardizes the confidentiality, integrity, or availability of those information systems or any information residing therein¹.
• Cybersecurity threat: Any potential unauthorized occurrence on or conducted through a business's information systems that may result in adverse effects on the confidentiality, integrity, or availability of those information systems or any information residing therein².
• Information systems: Electronic information resources, owned or used by the business, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the businesses' information to maintain or support the business's operations³.

Affected entities: Who needs to comply with the cybersecurity rules?

Broadly speaking, there are three categories of businesses that will need to comply with the SEC's new cybersecurity rules:

• U.S.-based businesses that are subject to the reporting requirements of the Securities Exchange Act of 1939 (the Exchange Act);
• business development companies (BDC) (as described in Section 2(a)(48) of the Investment Company Act); and
• foreign private investors (FPI) who are subject to the reporting requirements of the Exchange Act.

Timeline: When did the cybersecurity rules take effect?

The cybersecurity rules took effect on September 5, 2023. However, when businesses will need to begin submitting reports under the cybersecurity rules will depend on both the nature of those reports, as well as the size of the business in question. In either case, businesses will also need to begin tagging disclosures required under the cybersecurity rules.

• Larger businesses were required to begin complying with the cybersecurity incident disclosure requirements by December 18, 2023⁴. However, certain small businesses had an additional grace period, and were required to begin complying with the requirements by June 15, 2024. In order to qualify for this delayed compliance date, all businesses other than investment companies are considered small businesses if they: (i) have total assets of $5 million or less on the last day of their most recent fiscal year; and (ii) are only offering (or proposing to offer) securities that are no greater than $5 million⁵. An investment company will qualify as a small business if it (together with any other investment companies in the same group of related investment companies) has net assets of $150 million or less at the end of its most recent fiscal year⁶.
• Businesses must include cybersecurity disclosures concerning their governance and risk management processes in their annual Form 10-K reports for fiscal years ending after December 15, 2023⁷.

Reporting obligations: Cybersecurity incidents

Overview

The cybersecurity rules require businesses to report material cybersecurity incidents within four days after they determine that a cybersecurity incident was material. These reports must include information about the cybersecurity incident itself, as well as its impact on the business. For BDCs and businesses based in the U.S., these reports will take place under a new Item 1.05 that was added to Form 8-K. However, FPIs will make their disclosures under a comparable item in Form 6-K. In addition, the information required by Item 1.05 must be provided as an Interactive Data File (See Rule 405 of Regulation S-T) and the EDGAR Filer Manual⁸.

Timeline: When do cybersecurity incident reports need to be submitted?

The filing deadline for an Item 1.05 report is generally four days after the business determines that a cybersecurity incident was material (as further described below). However, there are certain circumstances under which this timeline can be extended:

• A business can delay submitting its report if the Attorney General (AG) determines that disclosure would pose a “substantial risk” to national security or the public's safety. If this is the case, the AG will send a notice to the SEC, which will specify how long of a delay is permitted, up to a maximum of 30 days. If necessary, the AG can then extend the delay period by up to an additional 30 days, and (in certain extraordinary circumstances) a further 60 days, each time by providing notice to the SEC⁹.
• In addition, telecommunications carriers that are required to delay notifying customers of a breach of its Customer Proprietary Network Information (CPNI) under 47 CFR 64.2011 may also delay filing an Item 1.05 report by up to seven days¹⁰.

Materiality: When is a cybersecurity incident material?

In the adopting release, the SEC states that businesses should use the same standard for determining whether a cybersecurity incident is material, and therefore must be reported, that it uses for all other materiality determinations under securities laws. More specifically, a cybersecurity incident is material if 'there is a substantial likelihood that a reasonable shareholder would consider it important' in making an investment decision, or if it would have 'significantly altered the total mix of information made available' to the shareholders or prospective investors¹¹. Some factors that a business can consider when making their materiality determination may include data theft, loss of assets or intellectual property, damage to the business's reputation, or overall loss of business value and financial impact on the business¹².

Businesses should make their materiality determination 'without undue delay' after they discover a cybersecurity incident¹³. In the adopting release, the SEC clarifies that if a business follows its normal policies and procedures for making materiality determinations, it will be sufficient to demonstrate good faith compliance with its obligations¹⁴.

Content: What needs to be included in a cybersecurity incident report?

At a minimum, businesses should include the following information in their reports under Item 1.05:

• The material aspects of the nature, scope, and timing of the cybersecurity incident¹⁵.
• The material impact, or likely material impact, on the business, including any effects on the business's financial condition or the results of its operations¹⁶. These impacts may include both direct financial costs that result from a cybersecurity incident, as well as indirect costs, such as damage to the business's reputation, damage to its relationships with its customers and vendors, as well as possible litigation or regulatory actions.

In addition, businesses should include any other information that they believe a reasonable investor would consider important¹⁷. However, businesses do not need to disclose any specific or technical details about the planned response to a cybersecurity incident or their cybersecurity systems, if doing so would restrict or endanger their ability to respond to the cybersecurity incident in question. If the information required to be disclosed is still unknown or undermined by the Item 1.05 report filing deadline, businesses should include a statement to this effect in their report, and then file an update to their report within four business days after the missing information becomes known to them.

Reporting cybersecurity governance

Overview

The second change made by the cybersecurity rules is that covered businesses must also disclose information about how they manage cybersecurity risks. For BDCs and businesses based in the U.S., this information must be disclosed in its annual reports under Form 10-K. FPIs, however, will do so as a part of their equivalent reports under Item 16K to Form 20-F. The required contents of these reports are detailed in Item 106 of Revised Regulation S-K. The information required by Item 106 must be provided as an Interactive Data File (See Rule 405 of Regulation S-T) and the EDGAR Filer Manual¹⁸.

Content: What needs to be included in the Form 10-K report?

The cybersecurity rules require businesses to include the following information in their annual 10-K report:

• The business's processes for assessing, identifying, and managing material risks caused by cybersecurity incidents in enough detail for a 'reasonable investor' to understand those processes¹⁹. If applicable, this should include how the business's cybersecurity processes have been incorporated into its overall risk management system²⁰, whether the business uses any third parties (such as assessors, consultants, or auditors) as part of its cybersecurity risk management processes²¹, and if so, whether it has policies or processes in place to manage the cybersecurity threats that may arise from the use of those third parties²².
• The business's Form 10-K should describe the role of its board of directors (or equivalent governing body) in managing cybersecurity threats. This includes identifying any specific board members or committees that are responsible for overseeing the business's cybersecurity systems, as well as the process that is used to keep those board members or committees informed about cybersecurity risks²³.
• The Form 10-K report must also provide information about the role of the business's management in overseeing its cybersecurity risk management process. This includes whether there are any management positions or committees that are responsible for overseeing these processes²⁴. If so, the business should also identify which positions or committees have this responsibility, the nature of those individuals' or committees' expertise, the processes that are used to keep them informed about cybersecurity threats and cybersecurity incidents, as well as the extent to which they report information about cybersecurity threats and cybersecurity incidents to the board of directors (or equivalent governing body).

Next steps

In order to comply with the cybersecurity rules, businesses should:

• Update their cybersecurity incident response plans to include the new disclosure obligations and capture the necessary information that must be disclosed under Item 1.05.
• Map out their business's governance processes, identifying the board members and managers responsible for overseeing its cybersecurity risk management processes.
• Review the Item 1.05 and Form 10-K filings that other businesses have already submitted. While not to be overly relied on, keeping examples of how other businesses have addressed these same issues available may help provide some additional guidance and structure when it comes time for businesses to prepare their own filings.

Jacob Ragen Associate
[email protected]
Shook, Hardy & Bacon, Seattle

1. 17 CFR 229.106(a) [Revised Regulation S-K, Item 106].
2. 17 CFR 229.106(a) [Revised Regulation S-K, Item 106].
3. 17 CFR 229.106(a) [Revised Regulation S-K, Item 106].
4. Adopting Release, Page 142.
5. 17 CFR 240.0-10(a) [Exchange Act Rule 0-10a)].
6. 17 CFR 270.0-10(a) [Exchange Act Rule 0-10a)].
7. Adopting Release, Page 107.
8. Form 8-K, Item 1.05(b).
9. Form 8-K, Item 1.05(c).
10. Form 8-K, Item 1.05(d).
11. Adopting Release, Page 14.
12. Adopting Release, Page 30.
13. Form 8-K, Item 1.05(1).
14. Adopting Release, Page 38.
15. Form 8-K, Item 1.05(a).
16. Form 8-K, Item 1.05(a).
17. Form 8-K, Item 1.05 B.4.
18. 17 CFR 229.106(d) [Regulation S-K Item 106].
19. 17 CFR 229.106(b)(1)[Revised Regulation S-K, Item 106].
20. 17 CFR 229.106(b)(1)(i) [Regulation S-K Item 106].
21. 17 CFR 229.106(b)(1)(ii) [Regulation S-K Item 106].
22. 17 CFR 229.106(b)(1)(iii) [Regulation S-K Item 106].
23. 17 CFR 229.106(b)(1)(iii) [Regulation S-K Item 106].
24. 17 CFR 229.106(c)(2)(i) [Regulation S-K Item 106].