Photo: Mark Van Scyoc / Shutterstock.com
To enhance transparency and safeguard investors, the Securities and Exchange Commission (SEC) has officially adopted new rules that mandate companies to disclose material cybersecurity incidents within four business days.
The companies must also provide annual information on their cybersecurity risk management, strategy, and governance. The rules will also apply to foreign private issuers, ensuring comparable disclosures.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
According to the new rules, registrants must reveal any cybersecurity incident deemed material on the newly created Item 1.05 of Form 8-K. They are required to furnish information such as describe the nature, scope, timing, and material impact or potential impact of the incident on the registrant.
Generally, the disclosure should be made within four business days of determining a cybersecurity incident as material. However, if immediate disclosure poses a substantial risk to national security or public safety, it may be delayed upon notification to the Commission by the United States Attorney General.
Foreign private issuers must follow comparable disclosures for material cybersecurity incidents through Form 6-K and for cybersecurity risk management, strategy, and governance via Form 20-F.
The regulations also introduce Regulation S-K Item 106, which necessitates registrants to outline their processes for identifying, assessing, and managing material cybersecurity risks, along with the effects of such threats and past cybersecurity incidents. Furthermore, companies must disclose the board of directors’ role in overseeing cybersecurity risks and management’s expertise in managing such threats.
These disclosures will be included in the registrant’s annual report on Form 10-K.
The effective date of the final rules is set to be 30 days after the publication of the adoption release in the Federal Register. For Form 10-K and Form 20-F disclosures, companies must comply beginning with annual reports for fiscal years ending on or after December 15, 2023. As for Form 8-K and Form 6-K, disclosures will be due 90 days after the Federal Register publication date or by December 18, 2023, whichever comes later.
Smaller reporting companies will receive an additional 180-day grace period before they are required to provide the Form 8-K disclosure.
Compliance with structured data requirements will also be necessary, with all registrants required to tag disclosures using Inline XBRL starting one year after initial compliance with the relevant disclosure mandate.
Although the rules should come in handy in securing investors’ confidence and transparency, some believe that these rules will prove challenging to small and still-growing companies.
“Increased disclosure should help companies compare practices and may spur improvements in cyber defences, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources,” said Lesley Ritter, VP for Moody’s Investors Service.