US SEC adopts new cyber rules

The SEC adopted new rules for disclosure of cybersecurity incidents and risk management by public companies.

• Companies will be required to disclose material cybersecurity incidents they experience and provide annual disclosures about their cybersecurity risk management, strategy, and governance.
• The new rules introduce a new Form 8-K (Item 1.05) for registrants to report material cybersecurity incidents and their impact. This disclosure is generally due four business days after the incident is determined to be material.
• Disclosure of cybersecurity incidents may be delayed if immediate disclosure poses a substantial risk to national security or public safety, subject to approval by the United States Attorney General.
• A new Regulation S-K Item 106 will require registrants to describe their processes for identifying and managing material risks from cybersecurity threats, board oversight of these risks, and management’s expertise in assessing and managing them. This disclosure will be required in a registrant’s annual report on Form 10-K.
• The final rules will take effect 30 days after publication in the Federal Register. Form 10-K and Form 20-F disclosures will be due starting with fiscal years ending on or after December 15, 2023. Form 8-K and Form 6-K disclosures will be due starting the later of 90 days after publication or December 18, 2023. Smaller reporting companies will have an additional 180 days to provide Form 8-K disclosures.

Bottom Line: The ruling is a step in the direction of accountability and investor and consumer protection because it requires organizations to improve the way they discover vulnerabilities and breaches, their reporting mechanisms, and the level of cybersecurity expertise on the board.