Businesses continue embracing innovation and technology, but with the rise of digitization comes the critical challenge that no organization can afford to ignore, cybersecurity threats. Publicly traded companies are prized targets for cyber attackers seeking to exploit vulnerabilities and obtain sensitive information because of the volume of data they send, receive, and store.
In recognition of the seriousness of these attacks and the consequences for companies and shareholders, the Securities and Exchange Commission (SEC) has taken a significant new step in cybersecurity protection for the corporate world. The new SEC cybersecurity regulations mandate public companies embrace transparency like never before when it comes to cybersecurity incidents and risk management practices. Below we have outlined what you need to know about the new rules set to take effect.
What Do You Need to Know?
Mandatory Disclosure of Material Cybersecurity Incidents:
The new rules by the SEC require businesses to disclose any material cybersecurity incidents they experience. These disclosures must be made through Form 8-K’s new Item 1.05 and should include details about the incident’s nature, scope, timing, and its material impact or potential impact on the business.
Annual Cybersecurity Risk Management Disclosure:
Companies are now obligated to provide annual information about their cybersecurity risk management, strategy, and governance. This disclosure must be included in the annual report on Form 10-K and should describe the processes for assessing, identifying, and managing material cybersecurity risks, as well as the effects of such risks and previous cybersecurity incidents.
Comparable Disclosures for Foreign Private Issuers:
The new SEC cybersecurity regulations also apply to foreign private issuers, requiring them to make comparable disclosures. Foreign private issuers must provide information about material cybersecurity incidents through Form 6-K and disclose their cybersecurity risk management, strategy, and governance on Form 20-F.
Timeline for Compliance:
The final rules will become effective 30 days after their publication in the Federal Register. For Form 10-K and Form 20-F disclosures, businesses must comply for fiscal years ending on or after December 15, 2023. For Form 8-K and Form 6-K disclosures, they will be due 90 days after publication in the Federal Register or by December 18, 2023, whichever is later. Smaller reporting companies have an additional 180 days before they need to provide Form 8-K disclosure.
Compliance with Structured Data Requirements:
All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after their initial compliance with the related disclosure requirement. This is to ensure standardized and machine-readable data for improved analysis and comparison.
Overall, these new rules aim to enhance the consistency, comparability, and usefulness of cybersecurity disclosures for the benefit of investors, companies, and the markets. Businesses should be prepared to implement these requirements and ensure they have adequate cybersecurity measures and risk management strategies in place to comply with the SEC’s regulations.
If you need help with understanding the process or ensuring compliance, don’t hesitate to contact the Cybersecurity team at Clark Schaefer Consulting for assistance.