GO BACK TO BLOG
January 17, 2024
Cybersecurity Risk Management And You (2024 Focus)

Cybersecurity Risk Management: Regulation Overview

The Securities and Exchange Commission (SEC) adopted new cybersecurity disclosure rules in 2023 to ensure that investors receive consistent information about material cybersecurity incidents as well as companies’ cybersecurity risk management, strategy, and governance. The SEC requires registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The new rules will require registrants to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. The SEC also requires foreign private issuers to make comparable disclosures.

The SEC’s new rules are intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. The SEC believes that the new rules will benefit investors, companies, and the markets connecting them. The SEC’s new rules will become effective 30 days following publication of the adoption release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. This will mean that all 10-Ks and Form 20-Fs filed for the quarter ending December 31, 2023 will be required to include this requirement.  Those 10ks filed in January 2024 for Quarterly Period ended 9/30/23 will not require the application of the new rule.

Who is affected by the rules?

The new rules affect domestic registrants and Foreign Private Issuers (FPIs) subject to the reporting requirements under the Exchange Act. The rules also apply to business development companies (“BDCs”) as defined in section 2(a)(48) of the Investment Company Act of 1940. Note: The new rules do not apply to investment companies registered under the Investment Company Act of 1940.  

Here are the key points:


Disclosure of Material Cybersecurity Incidents:
  • Public companies are now required to disclose material cybersecurity incidents on Form 8-K.
  • The disclosure should describe the material aspects of the incident’s nature, scope, and timing, as well as its impact on the company.
  • If a cybersecurity incident is deemed material, companies must file an Item 1.05 Form 8-K within four business days of making that determination.
  • Immediate disclosure can be delayed if the United States Attorney General determines that it poses a substantial risk to national security or public safety.
Annual Disclosure on Cybersecurity Risk Management:

Companies must provide annual information regarding their cybersecurity risk management, strategy, and governance.

This disclosure will be included in a registrant’s annual report on Form 10-K.

It will cover processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the board of directors’ oversight and management’s expertise in handling such risks.

Comparable Disclosures for Foreign Private Issuers:

Foreign private issuers are also required to make comparable disclosures.

These disclosures will be made on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

These rules aim to ensure consistent, comparable, and decision-useful cybersecurity disclosure, benefiting investors, companies, and the markets. The final rules become effective 30 days after publication in the Federal Register, with Form 10-K and Form 20-F disclosures due for fiscal years ending on or after December 15, 2023.

 

Resources

The adopting release for these new rules can be found on the Commission’s website at https://www.sec.gov/files/rules/final/2023/33-11216.pdf

The Commission’s disclosure forms can be accessed on the agency’s website at https://www.sec.gov/forms

SEC Fact Sheet.pdf (sec.gov)

SEC.gov | Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure


Additional Tags: Cybersecurity, New SEC Cyber Rule

RegVerse Team