The SEC (Securities and Exchange Commission) has adopted new rules on cybersecurity risk management, strategy, governance, and incident disclosure.
The rules standardize cybersecurity disclosure requirements for public companies, investors, and market participants, and have two main components:
- Annual disclosure of cybersecurity risk management, strategy, and governance
- Disclosure of material cybersecurity incidents
These disclosures must be tagged in Inline XBRL (eXtensible Business Reporting Language).
Who do the rules affect?
The new SEC rules apply to domestic registrants and FPIs (foreign private issuers) subject to the reporting requirements of the Securities Exchange Act of 1934, and to BDCs (business development companies) as defined by the Investment Company Act of 1940.
What changes were introduced by the rules?
Cybersecurity risk management, strategy, and governance disclosure
Item 106 is added to Regulation S-K, requiring registrants to disclose certain information about their cybersecurity risk management, strategy, and governance in their annual Form 10-K reports.
Item 16K is added to Form 20-F, requiring FPIs to disclose certain information about their cybersecurity risk management, strategy, and governance in their annual Form 20-F reports.
Both Item 106 and Item 16K require registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. They must also state whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them.
Item 106 and Item 16K also require registrants to describe their board’s supervision of risks from cybersecurity threats, as well as their management’s role in assessing and managing material risks from cybersecurity threats.
Material cybersecurity incident disclosure requirements
Item 1.05 is added to Form 8-K, requiring registrants to disclose any cybersecurity incident they determine to be material. They must disclose:
- The material aspects of the nature, scope, and timing of the incident
- The material impact or reasonably likely impact of the incident on them, including on their financial condition and operations
There is no obligation to disclose specific or technical information about the incident or its response if doing so would impede the registrant’s incident response or remediation.
Disclosure is due four business days after the registrant determines that the cybersecurity incident is material, although a limited delay is allowed if the United States Attorney General determines in writing that disclosure would pose a substantial risk to national security or public safety.
Structured data requirements
Registrants must tag the disclosures made under the new rules in Inline XBRL.
When did they enter into effect?
The rules came into effect on September 5, 2023.
Compliance dates vary by the type of disclosure, with SRCs (smaller reporting companies) given a longer compliance period for incident reporting:
Form 10-K and Form 20-F cybersecurity risk management, strategy, and governance disclosures
All registrants, including SRCs, must provide disclosures beginning with their annual reports for fiscal years ending on or after December 15, 2023.
Form 8-K and Form 6-K material cybersecurity incident disclosures
Registrants that are not SRCs must begin complying by December 18, 2023.
SRCs must begin complying by June 15, 2024.
Structured data requirements
All registrants, including SRCs, must begin tagging their Form 10-K and Form 20-F disclosures in Inline XBRL for fiscal years ending on or after December 15, 2024.
All registrants, including SRCs, must begin tagging their material cybersecurity incident disclosures in Inline XBRL by December 18, 2024.
Free PDF download: Cyber Incident Response Management – A beginner’s guide
Download this paper to:
- Understand exactly what constitutes a cyber incident
- Learn about the potential consequences of suffering an incident
- Find out what to include in your incident response plans
- Discover a step-by-step incident response process
How IT Governance USA can help you meet your SEC cybersecurity disclosure obligations
We are experts on information security, cybersecurity, and cyber incident response management, and have been helping organizations around the world implement and maintain best practices for over 20 years.
If you need help with your cybersecurity program, or with identifying and responding to a cybersecurity incident – including reporting – we have everything you need.
Call us today to speak to one of our experts about how we can help you, or browse the products and services below.
Start your journey to compliance today