What the SEC’s New Cybersecurity Requirements Mean for Companies

What the SEC’s New Cybersecurity Requirements Mean for Companies

In a rapidly evolving digital landscape, the Securities and Exchange Commission (SEC) has taken a significant step to enhance the cybersecurity transparency of public companies. The SEC recently adopted new rules that require registrants to disclose material cybersecurity incidents and provide annual information about their cybersecurity risk management, strategy, and governance. These regulations aim to ensure that investors, companies, and the markets are better informed about the cybersecurity risks and incidents affecting public companies.

The SEC’s Cybersecurity Disclosure Rules

The newly adopted rules by the SEC are a response to the growing importance of cybersecurity in the business world. The regulations require public companies to disclose material cybersecurity incidents and provide information on their risk management, strategy, and governance. This development stems from the understanding that cybersecurity incidents can have a significant impact on a company’s operations and its attractiveness to investors.

Disclosing Material Cybersecurity Incidents

One of the key aspects of the SEC’s new rules is the requirement for registrants to disclose material cybersecurity incidents. These disclosures should cover the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the registrant. The disclosures will be made on a new section, Item 1.05 of Form 8-K. Companies will generally have four business days to make these disclosures once they determine that a cybersecurity incident is material.

It’s important to note that disclosure can be delayed in cases where immediate disclosure would pose a substantial risk to national security or public safety, as determined by the United States Attorney General. This provision is in place to balance the need for transparency with concerns related to national security.

Description of Cybersecurity Risk Management

In addition to disclosing incidents, public companies are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. This includes detailing the material effects or reasonably likely material effects of such risks and any previous cybersecurity incidents. Furthermore, registrants must describe the board of directors’ oversight of risks related to cybersecurity threats and the role and expertise of management in managing these risks. These disclosures will be part of a registrant’s annual report on Form 10-K.

Applicability to Foreign Private Issuers

The SEC’s new cybersecurity disclosure rules also apply to foreign private issuers. They are required to make comparable disclosures on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. This move ensures that transparency regarding cybersecurity is consistent across all public companies, regardless of their origin.

Implementation Timeline

Public companies will need to comply with the new rules according to the following timeline:

  • Form 10-K and Form 20-F Disclosures: These disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. Public companies will have to provide comprehensive information about their cybersecurity risk management, strategy, and governance in these annual reports.
  • Form 8-K and Form 6-K Disclosures: These disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. The Form 8-K disclosures, which pertain to material cybersecurity incidents, have a more immediate timeline to ensure timely disclosure.
  • Additional Time for Smaller Reporting Companies: Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. This provision recognizes the potential resource limitations that smaller companies may face.
  • Structured Data Requirements: To enhance transparency and accessibility, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Stay Updated and Aware 

The SEC’s new cybersecurity disclosure rules mark a significant step toward enhancing transparency in the world of public companies. These regulations aim to provide investors with consistent, comparable, and decision-useful information about the cybersecurity risks and incidents affecting these companies. It’s a proactive move to ensure that investors, companies, and the markets are better equipped to navigate the ever-evolving landscape of cybersecurity threats.

As we navigate these changes, we at Unbound Digital are committed to assisting companies in meeting these new disclosure requirements. Our expertise in cybersecurity and regulatory compliance positions us to help you navigate this evolving landscape effectively. If you have any questions or need guidance in this regard, please don’t hesitate to contact us. We’re here to support your cybersecurity compliance journey.