The Securities and Exchange Commission (SEC) adopted new cybersecurity disclosure rules in 2023 to ensure that investors receive consistent information about material cybersecurity incidents as well as companies’ cybersecurity risk management, strategy, and governance. The SEC requires registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The new rules will require registrants to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. The SEC also requires foreign private issuers to make comparable disclosures.
The SEC’s new rules are intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. The SEC believes that the new rules will benefit investors, companies, and the markets connecting them. The SEC’s new rules will become effective 30 days following publication of the adoption release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. This will mean that all 10-Ks and Form 20-Fs filed for the quarter ending December 31, 2023 will be required to include this requirement. Those 10ks filed in January 2024 for Quarterly Period ended 9/30/23 will not require the application of the new rule.
The new rules affect domestic registrants and Foreign Private Issuers (FPIs) subject to the reporting requirements under the Exchange Act. The rules also apply to business development companies (“BDCs”) as defined in section 2(a)(48) of the Investment Company Act of 1940. Note: The new rules do not apply to investment companies registered under the Investment Company Act of 1940.
Companies must provide annual information regarding their cybersecurity risk management, strategy, and governance.
This disclosure will be included in a registrant’s annual report on Form 10-K.
It will cover processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the board of directors’ oversight and management’s expertise in handling such risks.
Foreign private issuers are also required to make comparable disclosures.
These disclosures will be made on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
These rules aim to ensure consistent, comparable, and decision-useful cybersecurity disclosure, benefiting investors, companies, and the markets. The final rules become effective 30 days after publication in the Federal Register, with Form 10-K and Form 20-F disclosures due for fiscal years ending on or after December 15, 2023.
Resources
The adopting release for these new rules can be found on the Commission’s website at https://www.sec.gov/files/rules/final/2023/33-11216.pdf
The Commission’s disclosure forms can be accessed on the agency’s website at https://www.sec.gov/forms
SEC.gov | Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
.png){kind=avatar}
1300 El Camino Real Suite 100
Menlo Park, CA 94025
(408) 320-0387
info@surgeventures.com
