SEC enhances cybersecurity disclosures

The SEC issued a Final Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, to enhance and standardize cybersecurity disclosures by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The amendments extend the disclosures about a registrant’s risk management, strategy, and governance in annual reports and require current reporting of material cybersecurity incidents. The Final Rule also requires a registrant to tag disclosures in Inline XBRL, beginning one year after the initial compliance date.

Annual reporting: Risk management, strategy, and governance disclosure

The Final Rule amends Form 10-K to require a registrant to provide information pursuant to the new Item 106 of Regulation S-K. Among other things, S-K Item 106 defines both a “cybersecurity incident” and a “cybersecurity threat,” as well as requires a registrant to disclose the following information:

• Risk management and strategy: Processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and whether any of these risks, including any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect its business strategy, results of operations, or financial condition
• Governance: (1) Board of directors’ oversight of risks from cybersecurity threats and, if applicable, identification of any board committee or subcommittee responsible for such oversight, including a description of the processes that inform the board or committee about such risks, and (2) management’s role in assessing and managing material risks from cybersecurity threats, including relevant expertise and communication with the board of directors

The Final Rule also adds Item 16K to Form 20-F to require similar disclosures for foreign private issuers.

Current reporting: Incident disclosure

The Final Rule adds Item 1.05 to Form 8-K to require disclosure of the nature, scope, and timing of a material cybersecurity incident, as well as the material impact or reasonably likely material impact of the incident on a registrant, including its financial condition and results of operations. Such disclosure on Form 8-K is required within four business days after a registrant determines that the incident is material.

The Form 8-K filing may be delayed, for a certain period, if the U.S. Attorney General determines that immediate disclosure of such incident would pose a substantial risk to national security or public safety. In such a situation, the Attorney General would need to notify the SEC about its determination in writing prior to the due date of filing Form 8-K.

A registrant is required to amend its initial Form 8-K to update its incident reporting by disclosing any further information that was either not determined or unavailable at the time of the initial Form 8-K filing within four business days of learning about the new information.

The Final Rule also amends Form 6-K to require a foreign private issuer to disclose information related to a material cybersecurity incident that was disclosed or required to be disclosed in foreign jurisdictions or to any stock exchange or security holders.

Compliance dates

Registrants are required to provide the new periodic reporting disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.

Registrants, other than smaller reporting companies, are required to provide current reporting disclosures about material cybersecurity incidents beginning on Dec. 18, 2023 or 90 days after the amendments are published in the Federal Register, whichever is later.

Smaller reporting companies must comply with the current reporting requirements beginning on June 15, 2024 or 270 days after the amendments are published in the Federal Register, whichever is later.