Arion Research LLC

View Original

New SEC Rules on Cybersecurity Risk Management and Disclosure

Here’s an announcement from the US Securities and Exchange Commission (SEC) that may have slipped by you this week. The SEC adopted new rules requiring public companies to disclose material cybersecurity incidents and provide annual information on their cybersecurity risk management, strategy, and governance; and includes foreign private issuers as well. The goal is to provide investors with consistent, comparable, and useful cybersecurity information in a timely manner. The rule was originally proposed in March of 2022. Under the new rules, companies must disclose on Form 8-K any cybersecurity incident they determine to be material and must include a description of the nature, scope, timing, and impact of the incident. The 8-K is generally due 4 days after the material determination, but can be delayed if disclosing poses risks to national security or public safety (as determined by the US Attorney General). This is similar to the EU rule that requires the disclosure within three days.

Regulation S-K Item 106

The new Regulation S-K Item 106 requires companies to report their processes for assessing, identifying and managing cybersecurity risks and incidents once a year. This disclosure should include the board's oversight of cyber risks and management's expertise in managing them. These disclosures will be in the 10-K or for foreign private issuers the disclosures about material cyber incidents in 6-Ks and about cyber risk management, strategy and governance in their 20-Fs. The rules take effect 30 days after Federal Register publication. 10-K and 20-F disclosures apply to fiscal years ending on or after 12/15/2023. 8-K and 6-K disclosures apply 90 days after publication (smaller reporting companies get an extra 180 days). For compliance with the structured data requirements the disclosures must be tagged in Inline XBRL one year after initial compliance under the final rules.