SEC releases new cybersecurity disclosure rules with accompanying checklist
Publicly traded companies are mandated to disclose important information about their cybersecurity practices and any significant cyber incidents they experience, in accordance with SEC regulations. These rules, implemented in 2023, aim to ensure that shareholders and investors are well-informed and can make informed decisions regarding their investments.
Under the current SEC guidelines, companies must report any cyber incident that is deemed “material,” meaning it has a significant impact on the company’s operations. This disclosure must be made through a Form 8-K filing within four business days of determining the incident’s importance, without any undue delay. The details that need to be disclosed include the nature and scope of the incident, the timing of the incident, the incident response, and the actual or potential material impact, both qualitatively and quantitatively.
In cases where information about the incident is not available within the initial four-day window, companies are required to mention this in their initial filing and submit an amended Form 8-K once the relevant data is obtained. When third-party service providers are affected by cyber incidents that impact a company’s operations, these incidents must also be reported promptly.
It is important to note that companies are not required to disclose technical or operational details that could jeopardize their incident response capabilities. Furthermore, if the disclosure of a cyber incident poses a significant national security or public safety risk, the company can delay the disclosure, with approval from the U.S. attorney general. All information must be submitted in an interactive data file format.
Additionally, public companies are obligated to report on their cyber-risk management, strategy, and governance practices annually in their Form 10-K filings. This includes detailing their processes for assessing, identifying, and managing cyber risks, as well as the impact of cybersecurity threats and incidents on their business operations, strategy, and financial conditions. The roles of the board of directors and management in overseeing and managing cyber risk must also be described thoroughly to help investors understand the company’s cybersecurity risk profile.
Foreign private issuers (FPIs) must also adhere to similar disclosure requirements for material cybersecurity incidents and risk management, strategy, and governance practices, albeit through different forms – 6-K and 20-F, respectively. FPIs are foreign entities with a significant presence in the U.S., and they are expected to provide transparent and detailed disclosures similar to domestic public companies.
In summary, the SEC’s cybersecurity disclosure rules are designed to enhance transparency and accountability in the reporting of cyber incidents and risk management practices by public companies, ensuring that investors have access to essential information that may impact their investment decisions.
