On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted rules requiring public companies to promptly disclose material cybersecurity breaches on Form 8-K and detailed information regarding their cybersecurity risk management and governance in their annual reports on Form 10-K. Such disclosures are to be made in new Item 1.05 of Form 8-K and new Regulation S-K Item 106 included in Form 10-K. These new rules follow a push from the SEC to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
Under the new rules, public companies will have four business days from management’s determination that a cybersecurity incident is material. The SEC requires that a public company’s determination that an incident is material must be made without unreasonable delay following discovery. Disclosure would require that the company provide details regarding the incident’s nature, scope, and timing as well as its material impact or reasonably likely material impact by filing an Item 1.05 Form 8-K. To the extent that these details are unknown or unavailable, the rule requires the company to identify these gaps in the filing and update the disclosure in the public company’s periodic reports as more complete information becomes available. Incidents requiring disclosure include a series of small immaterial breaches which become or are quantitatively or qualitatively material. A delay in disclosure would be allowed in cases where disclosure would present a substantial risk to national security or public safety. This exception requires a written determination by the United States Attorney General to the SEC. Additionally, on an annual basis, the public company will need to describe its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats as part of its Form 10-K filing.
These new rules will take effect 30 days following publication of the adopting release in the Federal Register, with the Form 8-K disclosures due beginning the later of 90 days after the date of publication in the Federal Register, or December 18, 2023.