On December 14, 2023, the Director of the Division of Corporate Finance published a speech (speech: https://www.sec.gov/news/speech/gerding-cybersecurity-disclosure-20231214#_ftn1) relating to the new cybersecurity disclosures that are going into effect this month (Fact Sheet: https://www.sec.gov/files/33-11216-fact-sheet.pdf). The speech provides some guidance about the disclosures expected under the new rule:
- The final rule requires public companies to disclose the occurrence of a material cybersecurity incident and describe the material aspects of the incident, as well as the material impact or reasonably likely material impact of the incident. A company is not required to disclose specific or technical information about its planned response to the incident or its cybersecurity systems in such detail as would compromise the response to the incident.
- Public companies must provide the required cybersecurity incident disclosure within four business days after the company determines the incident to be material. The deadline is not four business days after the incident occurred or is discovered. With this timing, the SEC recognized that a company may be unable to determine materiality the same day the incident is discovered.
- The SEC also provided for delayed reporting of cybersecurity incidents that would pose a substantial risk to national security or public safety, contingent on a written notification by the United States Attorney General. The SEC recently released compliance and disclosure obligations relating to delaying disclosure based on a notification by the United States Attorney General (https://www.sec.gov/divisions/corpfin/guidance/8-kinterp.htm#104b.01).
- The rule requires public companies to make annual disclosures about their cybersecurity risk management, strategy, and governance, including disclosures regarding management’s role in assessing and managing material risks from cybersecurity threats. The final rule’s disclosure requirement regarding the board is more high level, focused on describing the board’s oversight of risks from cybersecurity threats, and identifying any relevant board committee and describing how the board or such committee is informed of such risks.