The Securities and Exchange Commission (SEC) recently implemented new regulations mandating companies to disclose significant cybersecurity incidents they encounter, along with material information about their cybersecurity risk management, strategy, and governance on an annual basis.
This requirement also extends to foreign private issuers, who are now expected to provide similar disclosures.
SEC's Focus on Cybersecurity
SEC Chair Gary Gensler emphasized the importance of such disclosures, equating the impact of a cybersecurity incident to that of a physical disaster like a factory fire. The goal is to ensure consistent, comparable, and decision-useful information for investors and companies. These new rules are expected to benefit the stakeholders involved in the market.
The specifics of the new rules dictate that registrants must disclose any cybersecurity incident deemed material on the newly introduced Item 1.05 of Form 8-K. This disclosure should include details about the incident's nature, scope, timing, and its material impact or reasonably likely material impact on the registrant.
Generally, a registrant should submit the Form 8-K within four business days of determining the incident's materiality. However, the disclosure may be delayed if the United States Attorney General deems immediate disclosure to be a substantial risk to national security or public safety, and this determination is communicated in writing to the Commission.
Additionally, the rules introduce Regulation S-K Item 106, which requires registrants to outline their processes for assessing, identifying, and managing material cybersecurity risks. They must also disclose the material effects or reasonably likely material effects of cybersecurity threats and any previous cybersecurity incidents. Furthermore, the registrants need to describe the board of directors' oversight of cybersecurity risks and the expertise of management in dealing with such risks. These disclosures will be made in the annual report on Form 10-K.
Foreign private issuers are also held to the same standards in disclosing material cybersecurity incidents on Form 6-K and cybersecurity risk management, strategy, and governance on Form 20-F.
The new rules will take effect 30 days after their publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be required for annual reports ending on or after December 15, 2023. For Form 8-K and Form 6-K disclosures, they will be due either 90 days after publication in the Federal Register or by December 18, 2023, whichever is later.
Smaller reporting companies have an additional 180 days to start providing the Form 8-K disclosure. Regarding compliance with the structured data requirements, all registrants are required to tag disclosures using Inline XBRL one year after initially complying with the related disclosure requirement.