The Securities and Exchange Commission (SEC) has recently adopted new rules that aim to enhance and standardize the disclosures of public companies regarding their cybersecurity risk management, strategy, governance, and incidents. These rules will affect domestic and foreign companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Here are some key points to know about the new rules:
- Material Cybersecurity Incident Disclosure: Companies must disclose any cybersecurity incident that they determine to be material on Form 8-K within four business days of making that determination. The disclosure must include the material aspects of the nature, scope, timing, and impact of the incident. The disclosure may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC in writing.
- Annual Cybersecurity Risk Management, Strategy, and Governance Disclosure: Companies must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of such risks and previous incidents on their financial condition and results of operations. Companies must also describe the board of directors’ oversight of cybersecurity risks and management’s role and expertise in this area. These disclosures must be made on Form 10-K for domestic companies and on Form 20-F for foreign companies.
- Inline XBRL Tagging: Companies must present the required cybersecurity disclosures in Inline eXtensible Business Reporting Language (Inline XBRL), which is a format that allows investors to easily access, analyze, and compare data across companies.
The new rules will become effective 30 days after publication in the Federal Register. The annual disclosures will be due beginning with reports for fiscal years ending on or after December 15, 2023.
The new rules are intended to provide investors with more consistent, comparable, and decision-useful information about companies’ cybersecurity practices and incidents. They also reflect the SEC’s recognition of the growing importance and complexity of cybersecurity issues for public companies and the markets they operate in.
The new rules may pose significant challenges for companies to comply with, as they will require them to assess their cybersecurity risks and incidents more carefully and disclose them more promptly and transparently. Companies may also face increased scrutiny and liability from regulators, shareholders, customers, and other stakeholders as a result of their cybersecurity disclosures. Therefore, companies should review their existing cybersecurity policies and procedures, update their disclosure controls and practices, train their personnel, and consult with their legal and technical advisors to ensure compliance with the new rules.