The Securities and Exchange Commission (SEC) has introduced new cybersecurity disclosure requirements, referred to as the “Final Rules,” which apply to all types of SEC filers, including domestic issuers, foreign private issuers (FPIs), smaller reporting companies, and emerging growth companies. The rules were adopted on July 26, 2023, and are effective September 5, 2023. Above all, These rules aim to enhance transparency and governance in cybersecurity for public companies.
Disclosure of Material Cybersecurity Incidents (Form 8-K):
Domestic issuers must file a Current Report on Form 8-K within four business days after discovering a material cybersecurity incident. Specifically, the disclosure should include details on the incident’s nature, scope, timing, and its material impact on the issuer’s financial condition and results of operations. The definition of “cybersecurity incident” is broad, covering a series of related unauthorized occurrences. Delay in reporting is allowed only if the U.S. Attorney General determines that immediate disclosure threatens national security or public safety.
Key Takeaway on Disclosing Cyber Incidents
It is crucial for public companies to establish internal processes that can help determine whether a cybersecurity incident is material and document all the necessary facts related to the incident.
Due to disclosure timeline requirements, companies must prepare in advance to carry out these assessments and disclosures. This stands even if the cybersecurity incident is still ongoing. So, the security, legal, and corporate communication teams of public companies must work together to adapt their cyber incident response strategies and financial reporting processes to meet these obligations.
Disclosure of Material Cybersecurity Incidents (Form 6-K):
Foreign private issuers must furnish a Form 6-K to the SEC if they disclose material cybersecurity incidents in a foreign jurisdiction to stock exchanges or security holders.
Most issuers must comply with the cybersecurity incident disclosure requirements by December 18, 2024 (or later if specified in the Federal Register). However, smaller reporting companies have an additional 180 days for compliance.
Cybersecurity Risk Management, Strategy, and Governance Disclosure (Form 10-K and 20-F):
A new Item 106 to Regulation S-K requires annual disclosures in Form 10-K and 20-F reports about cybersecurity governance, risk management, and strategy. Issuers must describe their risk management processes for cybersecurity threats and assess their impact on business strategy, results, and financial condition. Governance-related disclosures should identify board committees overseeing cybersecurity risks and describe management’s role in managing these risks.
Compliance Dates for Risk Management, Strategy, and Governance Disclosure:
All issuers, including smaller reporting companies and emerging growth companies, must comply with Item 106 starting with annual reports for fiscal years ending on or after December 15.
Disclosures in Inline eXtensible Business Reporting Language (XBRL):
New disclosure requirements must be tagged in XBRL format starting on December 18, 2024 (or later if specified in the Federal Register).
Action Items for Companies:
- Board discussions on the new disclosure requirements and cybersecurity updates.
- Develop or enhance strategies, policies, and procedures for managing and mitigating cybersecurity risks.
- Regularly assess and update cybersecurity policies and procedures to align with industry standards.
These new SEC cybersecurity disclosure requirements aim to bolster transparency, governance, and preparedness in addressing cybersecurity risks for public companies. The adoption of these new rules could signal that greater federal cybersecurity enforcement actions are imminent. Consequently, this could mean that corporate leaders can expect to face increased personal liability and regulatory scrutiny risks. Thus, it is essential for affected companies to take proactive steps to ensure compliance and strengthen their cybersecurity practices.
How M.A. Polce Can Help
The SEC’s new cybersecurity disclosure requirements raise the stakes for business leaders. As a trusted IT security company, M.A. Polce can assist businesses impacted by the new SEC cybersecurity disclosure requirements. Our team can conduct thorough cybersecurity assessments, develop robust incident response plans, establish effective risk management processes, and enhance governance structures to ensure compliance. We offer comprehensive cybersecurity solutions including technical defenses and continuous monitoring. Additionally, we can provide tailored training and awareness programs for your staff and board members. Take proactive steps to strengthen your cybersecurity posture and meet SEC requirements by partnering with M.A. Polce. Contact us today to ensure your business is well-prepared to address evolving cybersecurity expectations.