The Securities and Exchange Commission’s (SEC) new regulations oblige registrants to reveal the material cybersecurity incidents that they experience and, on an annual basis, to disclose details regarding their cybersecurity risk management, strategy, and governance. Apart from this, the SEC also adopted similar rules addressed to foreign private issuers.
As stated in the official statement by an official from the SEC, the new regulations were imposed as a means to encourage transparency. The SEC representative further added that currently, public companies offer cybersecurity disclosure to investors. However, he emphasised that the new rules, which aim to facilitate the disclosure of relevant cybersecurity information by companies, would be beneficial to investors, companies, and the interconnected markets.
Alongside the new regulations, the SEC introduced Item 1.05 of Form 8-K for which the typical deadline for submission will be four business days after a registrant determines that a cybersecurity incident is material.
The disclosure might be subject to delay if the United States Attorney General considers that immediate disclosure would present a significant threat to national security or public safety. In these circumstances, the United States Attorney General has to notify the Commission of such determination in writing.
The SEC has further introduced Regulation S-K Item 106, which reportedly requires registrants to describe the process they have undergone to assess, identify, and manage material risks caused by cybersecurity threats, as well as the material effects or risks that are reasonably likely to have a material effect caused by cybersecurity threats and previous cybersecurity incidents.
Apart from this, Item 106 additionally requires registrants to describe the board of directors’ oversight of risks from cybersecurity threats as well as the management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be mandatory in a registrant's annual report on Form 10-K.
Comparable disclosures are mandated by the rules for foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
According to the official statement, the final rules are to be effective 30 days after the publication of the adoption release in the Federal Register.
The Form 10-K and Form 20-F disclosures will be due starting with annual reports for fiscal years ending on or after December 15, 2023.
Moreover, the commencement of the due date for Form 8-K and Form 6-K disclosures will start the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
As outlined in the announcement, smaller companies will be granted an additional 180 days before they must start providing the Form 8-K disclosure.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now