Seal of the U.S. Securities and Exchange Commission (SEC)

SEC Implements Requires Public Companies to Disclose Cybersecurity Incidents

In a move aimed at enhancing transparency and protecting investors, the Securities and Exchange Commission (SEC) has recently adopted new rules that require public companies to provide detailed disclosures on their cybersecurity risk management, strategy, governance, and any material cybersecurity incidents they experience. The decision came into effect on July 26, 2023.

SEC Chair Gary Gensler emphasized the importance of consistent and comparable cybersecurity disclosures, comparing the significance of a cybersecurity incident to that of a physical event, like a fire causing damage to a company’s facilities. The goal is to ensure that investors have access to relevant information that can help them make informed decisions about their investments.

Key points:

  1. Disclosure of Material Cybersecurity Incidents

    Public companies will now be required to disclose any material cybersecurity incidents they experience. This disclosure must be made on the new “Item 1.05 of Form 8-K.” Companies need to provide details about the nature, scope, timing of the incident, and its material impact on the company. Generally, the disclosure should be made within four business days after the company identifies the incident as material. However, disclosure can be delayed if the U.S. Attorney General determines that immediate disclosure could pose a risk to national security or public safety and notifies the SEC in writing.

  2. Description of Cybersecurity Risk Management

    Companies will also have to describe their processes for assessing, identifying, and managing material risks related to cybersecurity threats. This includes disclosing the effects of past cybersecurity incidents on their business operations. Additionally, companies must provide insights into the board of directors’ oversight of cybersecurity risks and the expertise of management in handling such risks. These disclosures will be required in the company’s annual report on “Form 10-K.”

  3. Applicability to Foreign Private Issuers

    The new rules extend to foreign private issuers as well. They will be required to provide comparable disclosures for material cybersecurity incidents on “Form 6-K” and for cybersecurity risk management, strategy, and governance on “Form 20-F.”

Timeline for compliance:

  • The final rules will become effective 30 days after publication in the Federal Register.

  • Companies will need to start providing the Form 10-K and Form 20-F disclosures for fiscal years ending on or after December 15, 2023.

  • The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after publication in the Federal Register or December 18, 2023

  • Smaller reporting companies will have an additional 180 days before they must start providing the Form 8-K disclosure.

  • All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

With the growing prominence of cybersecurity regulations, professionals, including auditors and cybersecurity experts, can expect increased business opportunities as they help companies meet the new reporting requirements. The impact of inadequate cybersecurity controls can have severe financial and reputational consequences, potentially leading to similar reporting requirements being adopted by other stock exchanges in the future.

Given the evolving landscape, it’s crucial for boards to recognize the growing importance of cybersecurity and data protection during budgeting decisions. Failure to do so could expose the board to potential liability for any inaccuracies in their disclosures.

Leave a Reply

Your email address will not be published. Required fields are marked *

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.