On July 26, 2023, the SEC (Securities and Exchange Commission) adopted new rules on cybersecurity disclosures.
They came into effect on September 5, and begin to apply from December 15 – although compliance dates vary depending on the type of disclosure and the type of organization.
If you’re unsure which rules apply to your organization, and what you need to do to meet your obligations, this blog provides an overview.
For more information, register for our free webinar, “An Introduction to the SEC Cybersecurity Disclosure Rules” on Thursday, November 30 from 11:00 – 11:45 am (EST).
Who do the SEC cybersecurity disclosure rules apply to?
The new SEC rules apply to domestic registrants and FPIs (foreign private issuers) subject to the reporting requirements of the Securities Exchange Act of 1934, and to BDCs (business development companies) as defined by the Investment Company Act of 1940.
What do the SEC cybersecurity disclosure rules require registrants to do?
Cybersecurity risk management, strategy, and governance disclosure
Item 106 is added to Regulation S-K, requiring registrants to disclose certain information about their cybersecurity risk management, strategy, and governance in their annual Form 10-K reports.
Item 16K is added to Form 20-F, requiring FPIs to disclose certain information about their cybersecurity risk management, strategy, and governance in their annual Form 20-F reports.
Material cybersecurity incident disclosure requirements
Item 1.05 is added to Form 8-K, requiring registrants to disclose any cybersecurity incident they determine to be material. They must disclose:
- The material aspects of the nature, scope, and timing of the incident
- The material impact or reasonably likely impact of the incident on them, including on their financial condition and operations
Disclosure is due four business days after the registrant determines that the cybersecurity incident is material, although a limited delay is allowed if the Attorney General determines in writing that disclosure would pose a substantial risk to national security or public safety.
Structured data requirements
Registrants must tag the disclosures made under the new rules in Inline XBRL (eXtensible Business Reporting Language).
What does ‘material’ mean in the context of Item 1.05?
The SEC clarifies that “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’”
It continues: “Because materiality’s focus is on the total mix of information from the perspective of a reasonable investor, registrants assessing the materiality of a cybersecurity incident should do so through the lens of the reasonable investor. Their evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors.”
What are the SEC cybersecurity disclosure rules compliance dates?
Compliance dates vary by the type of disclosure, with SRCs (smaller reporting companies) given a longer compliance period for incident reporting:
- December 15, 2023
All registrants, including SRCs, must start providing cybersecurity risk management, strategy, and governance disclosures in Form 10-K and Form 20-F.
- December 18, 2023
Registrants that are not SRCs must start providing material cybersecurity incident disclosures in Form 8-K and Form 6-K.
- June 15, 2024
SRCs must start providing material cyber incident disclosures in Form 8-K and Form 6-K.
- December 15, 2024
All registrants, including SRCs, must start tagging their Form 10-K and Form 20-F disclosures in Inline XBRL for fiscal years ending on or after December 15, 2024.
- December 18, 2024:
All registrants, including SRCs, must begin tagging their material cybersecurity incident disclosures in Inline XBRL by December 18, 2024.
Free webinar: An Introduction to the SEC Cybersecurity Disclosure Rules
Join IT Governance USA’s William Gamble on Thursday, November 30 at 11:00 am (EST) for a free webinar about the SEC’s cybersecurity disclosure rules.
- Get an overview of the SEC’s proposed rules and their significance
- Determine if your organization falls under the SEC’s jurisdiction
- Understand the compliance requirements for listed companies
- Get an in-depth examination of current laws, including:
- Disclosure requirements and materiality
- 10 B 5 implications
- Previous cyber incidents, hacks, and vulnerabilities
- Identify and address compliance challenges emerging from compliance issues