Securities and The Securities and Exchange Commission (SEC) has taken an important step in enhancing cybersecurity disclosures for public companies by adopting new rules aimed at providing investors with comprehensive and standardized information about cybersecurity risk management, strategy, governance, and incidents.
It was approved in July 2023, These new rules It follows a lengthy rulemaking and public comment process and serves as formal recognition that the ever-present risk of cybersecurity threats can influence investors’ decision-making.
Highlights: What you need to know
essence New SEC rules is that companies are required to report both physical cybersecurity incidents and cybersecurity risk management processes in a standardized manner and according to certain timelines. More specifically:
Disclosure of accidents
The final rule requires disclosure of a current report (Item 1.05 on Form 8K or 6-K) within four days of “material” cybersecurity incidents that describes (1) the nature, scope, and timing of the incident and (2) its impact or likelihood of occurrence Impact of the incident on the registrant , including the financial and operational impact.
Annual disclosures
The final rule requires disclosures in annual reports (Form 10-K or 20-F) that describe (1) the registrant’s process for identifying, assessing, and managing cybersecurity risks; (2) how risks arising from cybersecurity threats have materially affected or are reasonably likely to materially affect our business operations, strategy or financial conditions; (3) the Registrant’s Board of Directors’ oversight of cybersecurity risks, and (4) management’s role in assessing and managing risks arising from cybersecurity threats.
The SEC requires companies to report both physical cybersecurity incidents and cybersecurity risk management processes in a standardized manner.
The deadlines
The final rule becomes effective on September 5, 2023. Annual cybersecurity disclosure will be required for registrants whose fiscal years begin on December 15, 2023, and later. The current report disclosure obligation of Section 1.05 begins shortly thereafter on December 18, 2023, although small reporting companies have until June 15, 2024. Furthermore, from December 15 to 18, 2024, there are additional requirements regarding the format of these annual reports. And annual reports. Current report disclosures, respectively (i.e. formatting these disclosures in Inline XBRL to allow for automated search and analysis).
Details: What the rules say
There has been an accident – what should be disclosed?
The new rules require disclosure of cybersecurity incidents that are determined to be “material” (more on this below) as well as the nature, scope and timing of the incident and the reasonable potential impact of the incident on the registrant’s financial condition and operations.
However, unlike previous iterations of the draft rule, there is no requirement to disclose specific or technical information about the registrant’s planned response to the incident or potential vulnerabilities in cybersecurity systems.
When should detection be done?
Within four working days! Allocating four days to disclose a cybersecurity incident in a public filing may seem tight, and it is, but there is more flexibility built into the final rule’s criteria than is apparent.
The four-day clock only begins at the point at which the registrant determines that it has experienced a “material” cybersecurity incident, and materiality must only be determined “without unreasonable delay.”
Although the standard is flexible, it does not allow the registrar to extend the investigation until the incident has been fully addressed in order to delay reporting. The registrant must make an 8-K disclosure with the information available at that time and later supplement the original disclosures as necessary by amending Section 1.05.