New rules adopted by the Securities and Exchange Commission (SEC) that require companies to disclose any cybersecurity breach that they deem to be material and to make annual disclosures regarding their cybersecurity may potentially form the basis for SEC whistleblower claims related to the sufficiency of public disclosures.
The rules, passed on July 26, 2023, give companies four days to disclose cybersecurity incidents starting from when they determine that a breach is material. Disclosures can be delayed if the U.S. Attorney General determines that immediate disclosure would “pose a substantial risk to national security or public safety” and notifies the SEC in writing.
The new rules also require publicly traded companies to make annual disclosures about their cybersecurity risk management, strategy, and governance. The objective is to protect investors.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a public statement in which he noted current inconsistencies in disclosures. He said that companies and investors both benefit when disclosures are made in a “more consistent, comparable, and decision-useful way.”
Incident-specific disclosures are required in Form 8-K beginning either 90 days after the rule’s publication in the Federal Register or on December 18, 2023, whichever is later. Smaller reporting companies will have an additional 180 days. Disclosures must set forth the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
Annual disclosures are required in Form 10-K reports covering fiscal years ending on December 15 or later. Companies must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, along with the material effects or reasonably likely material effects of risks from cybersecurity threats or previous cybersecurity incidents. They also must disclose information on their cybersecurity risk management and executive expertise in the field.
Foreign private issuers are required to make comparable disclosures.
If you are considering filing a cyber-related SEC whistleblower claim, please fill out our online form or contact us by phone at (267) 551-5240 or via e-mail at zarbitman@feldmanshepherd.com for a free, confidential consultation.