business SEC Adopts New Cybersecurity Disclosure Rules September 11, 2023 The Securities and Exchange Commission (SEC) has recently adopted rules with new requirements for public companies regarding cybersecurity risk management, strategy, governance and incident disclosure. Here’s what you should know. In many cases there has been no consistency in cyber security, risk management, strategy, governance, and incident disclosure across companies but as part of the new SEC rule, this will all change. What does this mean for your company? We dive in here. The problem at hand Cybersecurity threats are on the rise in both the private and public sectors. The SEC has proposed new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents. What are the new SEC Rules? In late July, the SEC adopted rules that will require companies to disclose significant cyber breaches, as well as details about their cyber risk management, strategy and governance. The rules include several regulations and forms, summarized here: Regulation S-K item 106(b) centers around the risk management and strategy of the company. The following information should be included: A description of the process for the risk assessmentRisk identification, and Risk management from cyber security threats. If there are any material risks to the results of operations or financial conditions these must be documented as well. Regulation S-K item 106(c) focuses on the company’s cybersecurity governance. This is where your company will describe your board oversight of risk from cybersecurity threats and describe management’s role in assessing/managing material risk from cyber security threats. Form 8-K item 1.05 is used to file material cybersecurity incidents. On form 8-K item 1.05, the company must disclose: the nature, scope, timing, and impact/likelihood of impact from the material security incident (this could include a material incident from a subservice provider) Form 8-K item 1.05 should be filed within 4 business days of determining the incident was material, however there are rules around delayed findings based on risk of the incident that is determined by the Attorney General. The foreign private issuers (FPIs) will have to file the Form 20-F and Form 6-K. The form 20-F will describe everything listed in 106(c) above. The form 6-K will be the foreign version of the 8-K items listed above. What are the effective dates? Regulation S-K Item 106 and Form 20-F will be effective beginning with annual reports for fiscal years ending on or after December 15, 2023. Additionally, all companies must have Form 8-K item 1.05 in place 90 days after the date of publication in the Federal Register or December 18, 2023 (this excludes smaller reporting companies). The smaller reporting companies will have an additional 180 days for S-K item 106 and Form 20-F. Smaller companies must begin complying with Form 8-K Item 1.05 within 270 days from the effective date of the rules or June 15, 2024. What does this mean for companies that file with the SEC? This means that most year end filings will require the Regulation S-K item 106(b) a Regulation S-K item 106(c) which will be a completely new way to do disclosure of the companies’ cyber security, risk management, strategy, and governance by 12/31/23. How can we help? We are more than able to help with disclosures for the new rules and regulations, risk assessments over your cyber environment, controls development for cyber risk, preparing form 8-K item 1.05, preparing Form 20-F, preparing Form 6-K, and security incident evaluations. Contact us today.
