SEC Cybersecurity Incident Disclosures for Publicly Listed Technology and Life Sciences Companies

Technology and life sciences (TLS) companies, by their nature, maintain large sets of sensitive information – intellectual property data, systems and customer information. Due to this, they are often targeted by threat actors.  While companies have boosted their cybersecurity defenses, publicly listed TLS companies now need to be aware of regulatory reporting requirements by the U.S. Securities and Exchange Commission (SEC).

Background

In July 2023, the SEC adopted new rules regarding the disclosure of material cyber events and incidents for public reporting companies that fall under the Securities Exchange Act of 1934, which took effect with the first annual reports for fiscal years ending on or after December 15, 2023. Included in this new rule was the addition of Regulation S-K Item 106, which requires registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents, and a description the board of directors’ oversight of risks and management’s role and expertise in assessing and managing material risks from cybersecurity threats. This new rule applies to all issuers, regardless of reporting status, including smaller reporting companies (SRCs), emerging growth companies (EGCs), and foreign private issuers (FPIs), and includes disclosures regarding companies’ processes to identify, assess, and manage material cybersecurity threats. In addition to disclosing cybersecurity risk management, strategy, and governance disclosures in Forms 10-K and Forms 20-F in annual reports, companies are required to disclose any cybersecurity incident under new Item 1.05 of Form 8-K within four business days after a cybersecurity incident is deemed to be material to a “reasonable investor.” Companies within the TLS space, along with the financial services industry, are among the most susceptible to experiencing any sort of potential security vulnerabilities. While the requirements for reporting remained consistent across the board, filers handled this new section of the report in different manners.

Trends in Reporting

Since this new disclosure rule did not have a phase-in approach, many companies did not have the ability to compare or benchmark their disclosures against peers.  Thus, EisnerAmper reviewed a variety of these first-year disclosures from TLS companies of varied sizes, industries, and reporting statuses, including large-accelerated filers, accelerated filers, non-accelerated filers, SRCs, and ERCs. We have found that the content and depth of cybersecurity disclosures among filers varied based on their industry and size, but there were noted trends between the length, governance, frameworks, and substances of the section. While many filers followed similar procedures to their report, there were a few who took a different approach to the disclosure. As this was the first year these disclosures were required, it remained unclear how in-depth filers would go in disclosing on their cybersecurity management. 

Length

The length of each given disclosure spanned between five and seven paragraphs, with typically the large-accelerated filers on the longer side and being more robust with their report, even when they have no incidents to report. 

Frameworks

With the SEC requiring companies to disclose their cybersecurity risk management and strategies, it leads to the discussion around common security frameworks that were adopted by each respective organization. The most referenced frameworks throughout the disclosures were the National Institute of Standards and Technology (NIST) and the ISO 27001 Standard, with others referencing no framework at all. 

Governance

The audit committee and chief information security officer (CISO) are two of the most common overseers of the cybersecurity risk management programs and managers of cybersecurity risks, with others including chief technology officers, cyber security committees, directors of information technology, and boards of directors. With these individuals/committees in place, organizations can have a structured and accurate reporting trail for material cyber events, while ideally preventing them from the start. 

Risk Management Strategies

Many filers also detailed their risk management strategies within the company, including mentions of annual cybersecurity training for all employees, third-party risk management processes, the use of service providers for cybersecurity monitoring, and the build-out of new and improved cybersecurity programs. 

Disclosure of Material Cybersecurity Incidents

With the rule also requiring an Item 1.05 Form 8-K to be filed within four business days of a cyber event being deemed as material, companies had no new incidents to report in their annual 10-K filings. However, some filers disclosed incidents that had occurred in prior years, although they remained broad about the actual extent of the incident, instead calling out how the response protocol went into effect and that business disruptions were limited. 

Several companies have made Item 1.05 Form 8-K filings since the ruling went into effect, with some even amending their first Form 8-K filings to disclose additional information. There seemed to be initial confusion on which item companies should file under when disclosing recent cybersecurity incidents. Despite companies disclosing cybersecurity incidents under Item 1.05, titled “Material Cybersecurity Incidents,” a few companies expressed that they deemed the incident to likely not be material. 

The SEC has since provided clarification on their ruling, noting that if a company chooses to disclose a cybersecurity incident for which a materiality determination has not yet been determined, or determined not to be material, companies should disclose the incident under a different item of Form 8-K, pointing to Item 8.01 (Other Events). Companies should only file under Item 1.05 when a cybersecurity incident has been determined to be material. By distinguishing a Form 8-K filed under Item 1.05 for a material cybersecurity incident and a Form 8-K filed under Item 8.01 voluntarily for other cybersecurity incidents, there is less risk that investors will misinterpret immaterial cybersecurity incidents as material. If a company initially files under 8.01 of Form 8-K and later determines that the incident is material, then they should file an Item 1.05 Form 8-K within four business days of that determination, being sure the requirements of Item 1.05 are met.

Most recently, the SEC has also clarified that this new rule does not prohibit a company from sharing additional information privately with commercial counterparties, or other companies which may be impacted by or at risk from the same incident.

As the 2024 reporting period gets underway, cyber disclosure reporting will be much more prominent and the different threats identified will be much more transparent as companies posture themselves to defend against the ever-evolving cyber threat landscape. We also anticipate companies will be revising their 10-K disclosures in their next filing to be more consistent with their peer groups.