This week the SEC announced the adoption of final rules requiring the disclosure of material cybersecurity incidents on Form 8-K. It also calls for periodic disclosure of a registrant’s cybersecurity management, strategy, and governance in annual reports.
The march toward this news began in March 2022. That’s when the Commission proposed new rules, rule amendments, and form amendments designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
In the Wednesday announcement, SEC Chair Gary Gensler states that “currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
You can read the SEC’s full announcement here. In a continued effort to provide our clients with timely and clear insights into the latest developments, here are some of the key requirements and deadlines that all affected parties should follow moving forward.
Form 8-K: New Item 1.05
- Registrants will be required to disclose any cybersecurity incidents they determine to be material. This must include a description of the material aspects of the nature, scope, and timing of the incident as well as the material impact or reasonably likely material impact of the incident of the registrant. This includes its financial condition and results of operations.
- Item 1.05, if material, must file within four business days of the determination. A registrant may delay filing (more on that below) if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
- Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.
Regulation S-K:
- Under new Item 106 (b), registrants will be required to describe their processes, if any, for assessing, identifying, and managing material risks for cybersecurity threats. In addition, they must also describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
- Item 106 (c) calls for registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Form 6-K:
- This form stipulates that foreign private issuers must furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.
Form 20-F:
- Form 20-F will require foreign private issuers to make period disclosure comparable to that required in new Regulation S-K Item 106.
Effective Dates:
As always, with new rule amendments come new dates that all affected entities must recognize. The final rule will go into effect 30 days after publication in the Federal Register. Addition key dates include:
- Regulation S-K Item 106 and the comparable requirements in Form 20-F: All registrants must provide such disclosures beginning with the annual reports for fiscal years ending on or after December 15, 2023.
- Form 8-K Item 1.05 and Form 6-K: All registrants, not including smaller reporting companies, must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
- Form 8-K Item 1.05: Smaller reporting companies have an additional 180 days and must begin complying on the later of 270 days from the effective date of the rules or June 15, 2024.
Compliance and Structured Data Requirements:
One last detail worth pointing out is that all registrants must tag disclosures in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
For anyone with questions about these rules, we encourage you to reach out to the DFIN team. Our experts will not only provide answers but guidance on how this may impact your business and the steps you must take to comply. As always, check this blog regularly for updates on the latest developments.
