Rules that require registrants to disclose experienced material cybersecurity incidents, including annual material information on cybersecurity risk management, strategy, and governance have just been adopted by the SEC. Foreign private issuers will also be required to make comparable disclosures.
With the adopted rules, registrants will, on the new Item 1.05 of Form 8-K, be required to disclose any cybersecurity incident they determine to be material, and describe the material sides of the incident’s:
- nature;
- scope;
- timing; and
- its material impact or reasonably likely material impact on the registrant.
“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Material risks from cyber threats
Regulation S-K Item 106 will also be added to the requirements, where registrants need to describe (if any) processes for:
- assessing, identifying; and managing material risks from cybersecurity threats; and
- the material or reasonably likely material effects of risks from cybersecurity threats, and previous cyber incidents.
With Item 106, registrants will also be required to describe:
- the board of directors’ oversight of risks from cybersecurity threats; and
- the management’s role and expertise in assessing and managing the material threat risks.
This information will be required in the annual report on Form 10-K.
“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors.”
SEC Chair Gary Gensler
Besides the listed requirements above, the rules will also need comparable disclosures by foreign private issuers for material cybersecurity incidents – on Form 6-K, and cybersecurity risk management, strategy, and governance – on Form 20-F for.
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” Gensler added.
The final rules will become effective 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the publication date in the Federal Register or December 18, 2023.
Smaller reporting firms will have an additional 180 days before providing the Form 8-K disclosure.