In a significant move to enhance transparency and accountability in the business world, the Securities and Exchange Commission (SEC) has announced adopting new rules mandating public companies to disclose material cybersecurity incidents they encounter. These regulations also compel companies to annually disclose vital information about their strategies, governance, and risk management pertaining to cybersecurity. Foreign private issuers will be subject to similar requirements, further ensuring a consistent and standardized approach to cybersecurity disclosures.
SEC Chair Gary Gensler emphasized the importance of such disclosures, drawing parallels between the significance of revealing a factory fire and disclosing a cybersecurity incident. "Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them," Gensler stated.
Key Provisions of the New Rules:
Timely Disclosure of Cybersecurity Incidents: Under the new rules, registrants must report any cybersecurity incident deemed material on the recently introduced Item 1.05 of Form 8-K. This disclosure should encompass a detailed account of the incident's nature, extent, and timeline, along with assessing its material impact or reasonably foreseeable effects on the registrant. Generally, companies must submit an Item 1.05 Form 8-K within four business days of recognizing a material cybersecurity incident. However, disclosure can be delayed if the U.S. Attorney General identifies potential national security or public safety risks and notifies the SEC in writing.
Annual Reporting of Cybersecurity Risk Management: The newly added Regulation S-K Item 106 necessitates registrants to outline their methodologies for evaluating, identifying, and managing significant risks associated with cybersecurity threats. Companies must also elucidate the substantial consequences or foreseeable outcomes of such risks and elaborate on their board of directors' supervision of cybersecurity threat risks. Furthermore, management's involvement and expertise in handling cybersecurity risks are to be disclosed. This information must be included in a company's annual report on Form 10-K.
Comparable Disclosures by Foreign Private Issuers: Foreign private issuers will also be subjected to parallel requirements, necessitating them to disclose material cybersecurity incidents on Form 6-K and provide cybersecurity risk management, strategy, and governance disclosures on Form 20-F.
Implementation and Compliance Deadlines:
The final rules will take effect 30 days after publication in the Federal Register. Notably, companies are mandated to begin complying with the new Form 10-K and Form 20-F disclosures for fiscal years ending on or after December 15, 2023. The submission of Form 8-K and Form 6-K disclosures will commence 90 days after publication in the Federal Register or on December 18, 2023—whichever date is later. Smaller reporting companies are granted an additional 180 days before they are obligated to initiate Form 8-K disclosure. Additionally, all registrants must employ Inline XBRL to tag the disclosures outlined in the final rules, commencing one year after initial compliance with the related disclosure requirement.
The SEC's adoption of these rules signifies a significant stride towards increased transparency, consistency, and investor protection in an age where cybersecurity threats pose substantial risks to the corporate landscape. By obligating companies to reveal material incidents and their approaches to risk management, the SEC aims to foster informed decision-making and fortify market integrity.