The Securities and Exchange Commission (SEC) has adopted new rules that mandate registrants to disclose significant cybersecurity incidents and provide annual updates on their cybersecurity risk management, strategy, and governance. This requirement also applies to foreign private issuers. SEC Chair Gary Gensler emphasized the importance of consistent, comparable, and decision-useful disclosure of cybersecurity information for both companies and investors.
Under the new rules, registrants must disclose any material cybersecurity incident on Form 8-K’s new Item 1.05, detailing the incident’s nature, scope, timing, and its material or likely material impact. This disclosure is generally due four business days after the registrant determines the incident’s materiality. However, immediate disclosure can be delayed if the U.S. Attorney General determines that it would pose a substantial risk to national security or public safety.
Additionally, the new Regulation S-K Item 106 requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, the material effects of these risks and previous incidents, and the board of directors’ oversight of these risks. These disclosures are required in the registrant’s annual report on Form 10-K.
The rules will take effect 30 days after the adopting release’s publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due starting with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
Source: sec.gov
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.