Article updated Monday, August 14, 2023 for effective dates.
On July 26, 2023, the Security and Exchange Commission (SEC) adopted new rules for all publicly traded companies regarding the disclosure of cybersecurity incidents within four business days and will now require annual disclosures within Form 10-K about their cybersecurity risk management, strategy, and governance.
- New Item 1.05 has been added to Form 10-K
- New rules add Regulation S-K Item 106
The new SEC cybersecurity requirements are intended to provide investors, consumers, and companies with information that each can consider when making decisions. In addition to the accelerated timeline for publicly disclosing cybersecurity incidents, companies should place significant focus on the disclosures surrounding their board of directors and management’s role and expertise. REDW’s trusted cybersecurity advisors are ready to help you with these tasks and others needed for you to confidently implement the new SEC requirements.
While many companies already disclose material cybersecurity incidents to investors, the new cybersecurity incident reporting and disclosure rules provide a consistent framework that will allow for greater comparability between companies and provide a highly detailed outline of the SEC’s expectations.
Brian Grayek
REDW IT & Cybersecurity Consulting Director
Cybersecurity Incident Disclosures
SEC-registered companies must disclose any material cybersecurity incident including its nature, scope, and timing along with its material impact or the reasonable likely material impact it has on the company.
The disclosure is due within four business days of when an incident has been determined to be material, with the only caveat being if the U.S. Attorney General submits a request to the SEC to delay a disclosure if they determine that an immediate disclosure could pose a substantial risk to national security or public safety.
Cybersecurity Risk Management & Strategy
New Regulation S-K Item 106 requires SEC registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and previous cybersecurity incidents.
Examples of cybersecurity company processes:
- Creating a list of all cybersecurity risks and actions taken to mitigate and detect them. Include both computer system processes and off-line activities.
- Incident management and follow up. Ensure communications, timelines, resolution steps, and responsible parties are noted.
- Document any formal cybersecurity assessment framework and assessments utilized along with the frequency of the assessments.
Cybersecurity Governance
How each company’s board of directors provides oversight of cybersecurity risks, threats, and incidents is also a requirement of Item 106.
Company processes and managements’ role and expertise in managing cybersecurity threats are required to be disclosed on Form 10-K for U.S. companies, and Form 20-F by foreign private issuers.
SEC Cybersecurity Rule Effective Dates
Several date milestones must be considered to ensure compliance with the new cybersecurity regulations.
- August 4, 2023 – Federal Registry Publication (FRP) of SEC Cybersecurity regulations
- September 5, 2023 – The new cybersecurity rules and regulations become effective 30 days after the publication in the Registry.
- December 15, 2023 – The disclosures on Form 10-K will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
- December 18, 2023 – Form 8-K for mid-sized to enterprise company disclosures are due. Form 6-K is due by foreign private issuers.
- June 15, 2024 – Form 8-K disclosures are due for smaller reporting companies.
- December 15, 2024 – Structured data requirement: All disclosures must be tagged under the final rules in Inline XBRL with the related disclosure requirement.
REDW’s Experienced Cybersecurity Experts Are Standing By
Details, public comments, and examples around the new cybersecurity requirements can be found in the SEC’s extensive 186-page Cybersecurity Final Rule document. Similar to Nevada’s recent casino cybersecurity regulations, the SEC’s new rules pose a sizable change to the how most companies manage their cybersecurity landscape.
Developing and managing a cybersecurity program to the extent the SEC rules now demand can quickly become overwhelming. REDW has the cybersecurity expertise you need to execute the processes, assessments, and training that your company needs to meet SEC regulations.
