The Securities and Exchange Commission (SEC) this week adopted rules requiring registrants to disclose material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.
“Whether a company loses a factory in a fire — or millions of files in an incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Registrants must now disclose on the new Item 1.05 of Form 8-K any incident they determine to be material, describe the material aspects of the incident’s nature, scope, and timing, and detail its material impact or reasonably likely material impact on the registrant. Item 1.05 Forms 8-K are usually due four business days after a registrant determines that an incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
Also added is Regulation S-K Item 106, which requires registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from threats and previous incidents. Item 106 also makes registrants describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.
Comparable disclosures by foreign private issuers must be completed on Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
The final rules become effective 30 days following publication of the release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or Dec. 18. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.