SEC Issues New Rules Regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted rules requiring public companies to disclose material cybersecurity incidents within a certain timeframe and to disclose material information regarding their cybersecurity risk management, strategy, and governance on an annual basis in their annual reports on Form 10-K. As a result, many companies will likely increase focus on enhancing cybersecurity capabilities as they plan to address and comply with these new disclosure requirements.

While many public companies already provide disclosures relating to cybersecurity to investors, the rules aim to streamline and enhance such disclosures and require companies to provide more consistent, comparable, and specific cybersecurity information. The final rules will become effective 30 days following publication in the Federal Register. The Form 10-K disclosures will be applicable beginning next year for fiscal years ending on or after December 15, 2023. The Form 8-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. All registrants must tag the new required disclosures in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Form 8-K: The new rules amend Form 8-K to include a new Item 1.05, which requires disclosure of any cybersecurity incident that a company determines to be material and to describe the material aspects of the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the company. Item 1.05 disclosures will generally be due four business days after a company determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

Form 10-K: The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 also requires registrants to describe the board of directors’ oversight of cybersecurity related risks as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats.

The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Jennifer L. DiBella is a Shareholder in UKS’ Hartford office, practicing in the areas of Financial Institutions and Transactions, Securities, Commercial Lending and General Corporate Law. She can be reached at jdibella@uks.com or 860.548.2630.