New SEC Rules on Cybersecurity Risk Management and Disclosure

Written By Michael Fauscette

Here’s an announcement from the US Securities and Exchange Commission (SEC) that may have slipped by you this week. The SEC adopted new rules requiring public companies to disclose material cybersecurity incidents and provide annual information on their cybersecurity risk management, strategy, and governance; and includes foreign private issuers as well. The goal is to provide investors with consistent, comparable, and useful cybersecurity information in a timely manner. The rule was originally proposed in March of 2022. Under the new rules, companies must disclose on Form 8-K any cybersecurity incident they determine to be material and must include a description of the nature, scope, timing, and impact of the incident. The 8-K is generally due 4 days after the material determination, but can be delayed if disclosing poses risks to national security or public safety (as determined by the US Attorney General). This is similar to the EU rule that requires the disclosure within three days.

Regulation S-K Item 106

The new Regulation S-K Item 106 requires companies to report their processes for assessing, identifying and managing cybersecurity risks and incidents once a year. This disclosure should include the board's oversight of cyber risks and management's expertise in managing them. These disclosures will be in the 10-K or for foreign private issuers the disclosures about material cyber incidents in 6-Ks and about cyber risk management, strategy and governance in their 20-Fs. The rules take effect 30 days after Federal Register publication. 10-K and 20-F disclosures apply to fiscal years ending on or after 12/15/2023. 8-K and 6-K disclosures apply 90 days after publication (smaller reporting companies get an extra 180 days). For compliance with the structured data requirements the disclosures must be tagged in Inline XBRL one year after initial compliance under the final rules.

Michael Fauscette

Michael is an experienced high-tech leader, board chairman, software industry analyst and podcast host. He is a thought leader and published author on emerging trends in business software, artificial intelligence (AI), generative AI, digital first and customer experience strategies and technology. As a senior market researcher and leader Michael has deep experience in business software market research, starting new tech businesses and go-to-market models in large and small software companies.

Currently Michael is the Founder, CEO and Chief Analyst at Arion Research, a global cloud advisory firm; and an advisor to G2, Board Chairman at LocatorX and board member and fractional chief strategy officer for SpotLogic. Formerly the chief research officer at G2, he was responsible for helping software and services buyers use the crowdsourced insights, data, and community in the G2 marketplace. Prior to joining G2, Mr. Fauscette led IDC’s worldwide enterprise software application research group for almost ten years. He also held executive roles with seven software vendors including Autodesk, Inc. and PeopleSoft, Inc. and five technology startups.

Follow me @ www.twitter.com/mfauscette

www.linkedin.com/mfauscette

https://arionresearch.com
Previous

Salesforce Starter - Small Business CRM
Next

Predict, Prevent, Protect: AI’s Triple 'P' in CyberSecurity