In today's digital age, cybersecurity is a critical concern for businesses of all sizes.
The Securities and Exchange Commission (SEC) has recognized this and recently adopted new rules requiring public companies to disclose material cybersecurity incidents and to provide annual disclosures on their cybersecurity risk management, strategy, and governance.
In this blog, we’ll take a closer look at the disclosure of security incidents as required by these new regulations. We’ll also look how these new regulations fit into the broader requirements for public companies’ risk management plans and discuss when the new rules go into effect.
Disclosure of Material Cybersecurity Incidents
Under the new rules, registrants must disclose any material cybersecurity incidents they experience on the new Item 1.05 of Form 8-K within four business days after a breach.
Registrants must describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
The SEC Chair Gary Gensler said these regulatory changes aim to, “[help] to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Description of Cybersecurity Risk Management, Strategy, and Governance
The new rules also add a requirement for registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
The new rules require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
These disclosures will be required in a registrant's annual report as well.
Effective Dates and Compliance
The final rules will become effective 30 days following publication of the adopting release in the Federal Register.
The main disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
Other disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
Smaller reporting companies will have an additional 180 days before they must begin providing the disclosures. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
Conclusion
The SEC's new rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies are a step forward in ensuring consistent, comparable, and decision-useful cybersecurity disclosure for investors, companies, and the markets connecting them.
By requiring public companies to disclose material cybersecurity incidents and provide annual disclosures on their cybersecurity risk management, strategy, and governance, the SEC is helping to ensure that investors have the information they need to make informed decisions.
In summary, the SEC's new rules require public companies to disclose material cybersecurity incidents and provide annual disclosures on their cybersecurity risk management, strategy, and governance. These disclosures will help ensure consistent, comparable, and decision-useful cybersecurity disclosure for investors, companies, and the markets connecting them. The new rules also require foreign private issuers to make comparable disclosures.
All of which the agency aims to help bring more information for investors to make informed decisions.