The U.S. Securities and Exchange Commission adopted final rules requiring that public companies disclose material cybersecurity incidents. The rules also require periodic disclosure of a public company’s cybersecurity risk management, strategy, and governance in annual reports.
According to the rules, new forms will require public companies to disclose any cybersecurity incident they determine to be material. The forms also seek descriptions of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. Importantly, companies must determine the materiality of an incident without unreasonable delay following discovery. If the incident is determined material, the disclosure form must generally be submitted within four business days of that determination. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
Another part of the new rules will require public companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. They also will need to explain whether any risks from cybersecurity threats, including previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Public companies will need to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. Additionally, foreign private issuers will need to furnish information on material cybersecurity incidents that they disclose in a foreign jurisdiction.
The rules will become effective 30 days following publication in the Federal Register. For periodic reports, all public companies must provide the required disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. For compliance with the incident disclosure requirements, all public companies other than smaller reporting companies must begin complying within 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later. Smaller reporting companies are given a longer period to adjust to the new rules.
Click here to read the SEC’s new rules on cybersecurity disclosures.