In a move aimed at enhancing transparency and safeguarding investors’ interests, the Securities and Exchange Commission (SEC) has adopted new rules regarding cybersecurity risk management, strategy, governance, and incident disclosure by public companies. These rules, announced on July 26, 2023, reflect the SEC’s commitment to ensuring that material cybersecurity incidents are reported in a consistent and decision-useful manner.
SEC Chair, Gary Gensler, emphasized the importance of these rules by stating, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.” The goal is to provide investors with a clearer and more comparable view of the cybersecurity posture of public companies, thus benefiting both investors and the broader financial markets.
Key Highlights of the New Rules:
Disclosure of Material Cybersecurity Incidents: Public companies will now be required to disclose material cybersecurity incidents on the newly introduced Item 1.05 of Form 8-K. This disclosure must include details about the nature, scope, timing, and material impact or material impact of the incident on the registrant. This disclosure is expected to be made within 4 business days after determining that a cybersecurity incident is material. What is considered material? Anything that could affect shareholders’ financial investments.
National Security Considerations: In cases where immediate disclosure poses a substantial risk to national security or public safety, the United States Attorney General can delay the disclosure. This provision ensures a balance between transparency and national security concerns.
Annual Reporting on Cybersecurity Risk Management: A new regulation (S-K Item 106) requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. It also mandates the disclosure of material effects or material effects of such risks and previous cybersecurity incidents. Additionally, registrants are required to describe the board of directors’ oversight of cybersecurity threats and management’s role and expertise in managing these risks. These disclosures will be part of a registrant’s annual report on Form 10-K.
Foreign Private Issuers: Foreign private issuers are also required to make comparable disclosures regarding cybersecurity incidents on Form 6-K and provide information on cybersecurity risk management, strategy, and governance on Form 20-F.
Important Dates and Compliance:
- The final rules will take effect 30 days following their publication in the Federal Register.
- Form 10-K and Form 20-F disclosures will be required for fiscal years ending on or after December 15, 2023.
- Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the Federal Register publication on December 18, 2023.
- Smaller reporting companies will have an additional 180 days before they must provide the Form 8-K disclosure.
- All registrants must tag disclosures required under these rules in Inline XBRL beginning one year after their initial compliance with the related disclosure requirement.
What does this mean for your organization?
These new SEC rules represent a significant step forward in ensuring that investors have access to timely and comprehensive information about cybersecurity risks and incidents within public companies. By promoting consistency and transparency in cybersecurity disclosures, the SEC aims to strengthen investor confidence and facilitate informed decision-making in the ever-evolving landscape of cybersecurity threats.
Is your company up to date with the latest cybersecurity regulations? Don’t leave it to chance. Explore cybersecurity services from Cyber Sainik to ensure your business is protected and compliant. Secure your future today!