The increasing frequency and sophistication of cyber threats have prompted regulatory bodies to tighten the reins on how public companies disclose and manage cybersecurity incidents. The U.S. Securities and Exchange Commission (SEC) requires public companies to quickly report cyber incidents.
Here's what companies need to know:
-
Disclosure of Cybersecurity Incidents:
- Public companies must disclose material cybersecurity incidents on the new Item 1.05 of Form 8-K.
- The disclosure should include details about the incident's nature, scope, timing, and its material impact or reasonably likely material impact on the company.
-
Timing of Disclosure:
- Form 8-K disclosure is generally due four business days after determining a cybersecurity incident is material.
- Immediate disclosure can be delayed if the U.S. Attorney General deems it a substantial risk to national security or public safety.
-
Annual Reporting on Cybersecurity Risk Management:
- New Regulation S-K Item 106 requires companies to describe processes for assessing, identifying, and managing material risks from cybersecurity threats.
- Annual reports on Form 10-K must include details on material effects of risks from cybersecurity threats, previous incidents, and the board of directors’ oversight.
-
Foreign Private Issuers:
- Similar disclosures are required for foreign private issuers on Form 6-K for incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
-
Effective Dates:
- Form 10-K and Form 20-F disclosures begin with fiscal years ending on or after December 15, 2023.
- Form 8-K and Form 6-K disclosures begin by December 18, 2023.
- Smaller reporting companies have an additional 180 days for Form 8-K disclosure.
-
Structured Data Requirements:
- Registrants must tag disclosures in Inline XBRL one year after initial compliance with related disclosure requirements.
These changes aim to ensure consistent and comparable cybersecurity disclosures, benefiting investors, companies, and the markets. Companies should be prepared for more stringent reporting and governance requirements in the face of cybersecurity threats.