The Securities and Exchange Commission (SEC) has implemented new rules in 2023 that mandate public companies to disclose any material cyber incidents that may significantly impact their ability to conduct business. This disclosure must be made through Form 8-K Item 1.05 within four business days of determining the materiality of the incident. The information must include details such as the nature of the incident, the extent of compromise to corporate assets, the timing of the incident and response, and the actual or potential impact, both qualitative and quantitative.
If all relevant information is not available within the four-day window, the company must note this in the initial filing and subsequently file an amended Form 8-K once the data is obtained. Additionally, incidents involving third-party service providers also fall under reporting requirements, where organizations must disclose any cyberattacks affecting their business due to third parties.
It is important to note that organizations are not required to divulge technical or operational details that could compromise their incident response and remediation capabilities. In cases where disclosure of a cybersecurity incident poses a substantial national security or public safety risk, the organization can delay disclosure with approval from the U.S. attorney general. All information must be submitted in an interactive data file to the SEC.
Furthermore, the new rules dictate that public companies must provide details about their cybersecurity risk management, strategy, and governance practices in their annual reports. This information must be disclosed on Form 10-K and should include processes for assessing, identifying, and managing material cyber risks, as well as the impact of cybersecurity threats on business strategy, operations, and financial conditions.
For foreign private issuers (FPIs), comparable disclosures on material cybersecurity incidents and risk management practices must be made on Form 6-K and Form 20-F respectively. FPIs are foreign issuers with securities predominantly held by U.S. residents and substantial business operations in the U.S.
In summary, the SEC’s cybersecurity disclosure rules require prompt reporting of material incidents, detailed descriptions of risk management strategies, and governance practices. These regulations aim to provide shareholders and investors with consistent access to information that could influence their investment decisions. Compliance with these rules is essential for public companies to maintain transparency and accountability in the face of evolving cyber threats.
The SEC’s focus on cybersecurity disclosures underscores the increasing importance of addressing cyber risks in today’s digital landscape. By establishing clear reporting requirements and governance guidelines, the SEC aims to enhance the overall cybersecurity posture of public companies and protect the interests of shareholders and investors.