In a move aimed at enhancing transparency and protecting investors, the Securities and Exchange Commission (SEC) has recently adopted new rules that require public companies to provide detailed disclosures on their cybersecurity risk management, strategy, governance, and any material cybersecurity incidents they experience. The decision came into effect on July 26, 2023.
SEC Chair Gary Gensler emphasized the importance of consistent and comparable cybersecurity disclosures, comparing the significance of a cybersecurity incident to that of a physical event, like a fire causing damage to a company’s facilities. The goal is to ensure that investors have access to relevant information that can help them make informed decisions about their investments.
Public companies will now be required to disclose any material cybersecurity incidents they experience. This disclosure must be made on the new “Item 1.05 of Form 8-K.” Companies need to provide details about the nature, scope, timing of the incident, and its material impact on the company. Generally, the disclosure should be made within four business days after the company identifies the incident as material. However, disclosure can be delayed if the U.S. Attorney General determines that immediate disclosure could pose a risk to national security or public safety and notifies the SEC in writing.
Companies will also have to describe their processes for assessing, identifying, and managing material risks related to cybersecurity threats. This includes disclosing the effects of past cybersecurity incidents on their business operations. Additionally, companies must provide insights into the board of directors’ oversight of cybersecurity risks and the expertise of management in handling such risks. These disclosures will be required in the company’s annual report on “Form 10-K.”
The new rules extend to foreign private issuers as well. They will be required to provide comparable disclosures for material cybersecurity incidents on “Form 6-K” and for cybersecurity risk management, strategy, and governance on “Form 20-F.”
With the growing prominence of cybersecurity regulations, professionals, including auditors and cybersecurity experts, can expect increased business opportunities as they help companies meet the new reporting requirements. The impact of inadequate cybersecurity controls can have severe financial and reputational consequences, potentially leading to similar reporting requirements being adopted by other stock exchanges in the future.
Given the evolving landscape, it’s crucial for boards to recognize the growing importance of cybersecurity and data protection during budgeting decisions. Failure to do so could expose the board to potential liability for any inaccuracies in their disclosures.