New SEC Rules Required Public Companies to Promptly Disclose Cyberattacks

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted rules requiring public companies to promptly disclose material cybersecurity breaches on Form 8-K and detailed information regarding their cybersecurity risk management and governance in their annual reports on Form 10-K. Such disclosures are to be made in new Item 1.05 of Form 8-K and new Regulation S-K Item 106 included in Form 10-K. These new rules follow a push from the SEC to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

Under the new rules, public companies will have four business days from management’s determination that a cybersecurity incident is material. The SEC requires that a public company’s determination that an incident is material must be made without unreasonable delay following discovery. Disclosure would require that the company provide details regarding the incident’s nature, scope, and timing as well as its material impact or reasonably likely material impact by filing an Item 1.05 Form 8-K. To the extent that these details are unknown or unavailable, the rule requires the company to identify these gaps in the filing and update the disclosure in the public company’s periodic reports as more complete information becomes available. Incidents requiring disclosure include a series of small immaterial breaches which become or are quantitatively or qualitatively material. A delay in disclosure would be allowed in cases where disclosure would present a substantial risk to national security or public safety. This exception requires a written determination by the United States Attorney General to the SEC. Additionally, on an annual basis, the public company will need to describe its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats as part of its Form 10-K filing.

These new rules will take effect 30 days following publication of the adopting release in the Federal Register, with the Form 8-K disclosures due beginning the later of 90 days after the date of publication in the Federal Register, or December 18, 2023.

Register now for your free, tailored, daily legal newsfeed service.

New SEC Rules Required Public Companies to Promptly Disclose Cyberattacks
Blog Data Security Law Blog

Filed under

Topics

Organisations

Popular articles from this firm

A Long Journey Through “Silk Road” Appeal: Second Circuit Affirms Conviction and Life Sentence of Silk Road Mastermind *

IRS Issues Proposed Regulations on Donor-Advised Funds *

QSBS Rollovers *

Third Strike You’re Out: Judge Gardephe Orders Plaintiff to Explain Why Complaint Should Not be Dismissed After the CAFC Found the Asserted Claims Invalid Under 35 U.S.C. § 101 *

Commercial Division Court Issues a Decision Extending Time for Service and Permitting Alternative Service Methods to Foreign Defendants *

More from Data Security Law Blog

New York’s Department of Financial Services Amplifies its Cybersecurity Regulations

Biden Administration Issues Executive Order Regarding Safety, Security, and Trustworthiness of AI

House Subcommittees Hold Hearing on Combating Ransomware Attacks

Zoom Reverses Course on Contemplated Use of Customer Content to Train Artificial Intelligence

Court Blocks Enforcement of California’s New Data Privacy Regulations—For Now

Related practical resources PRO

Related research hubs