SEC Adopts Rules on Cybersecurity Disclosures and Requirements: A Recap of the Past Week

The Securities and Exchange Commission (SEC) has been actively focusing on enhancing cybersecurity disclosures and requirements for public companies. As cyber threats continue to evolve and pose significant risks to businesses and investors, the SEC’s efforts aim to improve transparency and accountability in the realm of cybersecurity.  A summary of key SEC developments in the past week related to cybersecurity disclosures and requirements follows.

Background

  • In March 2022, the SEC proposed new rules and amendments related to cybersecurity to enhance disclosures. This follows interpretive guidance provided in 2011 and 2018. This also comes on the heels of the National Cybersecurity Strategy being issued in March 2023 and the related implementation plan in July.
  • The final rules for adoption were released on July 26, 2023.

Disclosure

  • Incident notification: Any cybersecurity incident that a public company determines to be material must be disclosed within four (4) business days after the registrant determines that a cybersecurity incident is material. The disclosure will be captured in Item 1.05 of Form 8-K and the disclosure should describe the material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant. A delay can be granted if the US Attorney General determines that the disclosure would pose a risk to national security or public safety. Foreign issuers are required to submit similar disclosures on Form 6-K.
  • Annual reporting: Registrants will be required to add within the annual report on Form 10-K a Regulation S-K Item 106. This item will include the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The Registrant also must describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. Foreign issuers are required to submit similar disclosures on Form 20-F.

Implementation Timeline

  • Incident notification disclosures (Form 8-K and 6-K) will begin the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days.
  • Annual reporting disclosures will begin for annual reports for fiscal years ending on or after December 15, 2023.

What Didn’t Make the Final Cut?

  • The SEC proposed a rule that boards disclosure if they have a director with cyber expertise; however, the final rule does not include that requirement. Instead, Registrants must describe the board’s oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
  • Additionally, the proposed requirements to aggregate immaterial incidents and report updates on priorly disclosed incidents were not included in the final rule.

What Should Public Companies Do?

  • Organize a cybersecurity committee (if not already formed) including key executives to proactively align the company’s cyber and overall risk management efforts to these requirements.
  • Setup a communication plan with the Board to ensure oversight and proper risk management and compliance efforts.
  • Define cyber materiality using the SEC definitions and guidance.
  • Educate leadership and board members and promote awareness throughout the organization.
  • Involve the proper experts to advise, guide and support these efforts.

Conclusion

The SEC’s recent developments in cybersecurity disclosures and requirements reflect the growing significance of cybersecurity in the corporate landscape. The increased focus on transparency and accountability highlights the need for companies to prioritize cybersecurity risk management and provide accurate and timely disclosures to investors. As the cyber threat landscape continues to evolve, companies must stay vigilant in assessing and improving their cybersecurity practices to safeguard their operations, reputation and shareholders’ interests.

Explore related insights