New SEC cybersecurity disclosure rules: What you need to know to stay in compliance
he Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cybersecurity risk management, strategy, governance, and incidents.
Adopted in July 2023, these new rules come after a lengthy rule-making and public comment process and act as official recognition that the ever-present danger of cybersecurity threats can impact investor decision making.
The highlights: What you need to know
The crux of the new SEC rules is that companies are required to report both material cybersecurity incidents and cybersecurity risk management processes in a standardized way and according to certain timelines. More specifically:
Incident disclosures
The final rule requires current report disclosures (Item 1.05 in Form 8K or 6-K) within four days of “material” cybersecurity incidents that describe (1) the nature, scope, and timing of the incident and (2) the impact or likely impact of the incident on the registrant, including financial and operational impact.
Annual disclosures
The final rule requires disclosures in annual reports (Form 10-K or 20-F) that describe (1) the registrant’s process to identify, assess, and manage cybersecurity risks; (2) how risks from cybersecurity threats have materially affected or reasonably likely to materially affect business operations, strategy, or financial conditions; (3) the registrant’s board of directors’ oversight of cybersecurity risks, and (4) management’s role in assessing and managing risks from cybersecurity threats.
Source: TechCrunch