SEC’s new cybersecurity rules
The U.S. Securities and Exchange Commission (SEC) has recently adopted new rules to enhance the cybersecurity posture of public companies.
As cyber-attacks are on the rise and the SEC recognizes the growing threat cybersecurity incidents pose to businesses and investors they needed to make the update in the rules. The new rules aim to provide investors with more transparent and timely information about a company’s cybersecurity risks and how they are managed.
The new rules will be effective 30 days after publication in the Federal Register, with annual report disclosures required for fiscal years ending on or after December 15, 2023 and the 4-day reporting rule is effective sometime around April 2024.
Here’s a summary of the key points:
- Incident Disclosure: Companies are required to disclose material cybersecurity incidents within four business days after determining the incident’s materiality.
- Risk Management: Companies must describe their processes for identifying, assessing, and managing cybersecurity risks.
- Strategy and Governance: Annual disclosures must include information on cybersecurity risk management, strategy, and governance.
- Board Oversight: Disclosures must detail the board of directors’ oversight of cybersecurity risks.
- Materiality Definition: The SEC emphasizes the importance of materiality in relation to how cybersecurity incidents could influence investor decisions.
- Foreign and Private Issuers: The rules also apply to foreign private issuers, requiring comparable disclosures.
Key Components of the SEC Rules
- Incident Reporting:
- Public companies must report material cybersecurity incidents on Form 8-K within four business days of determining an incident is material.
- This accelerated reporting timeframe ensures investors receive timely information to assess potential impact.
- Annual Cybersecurity Disclosures:
- Companies must provide disclosures on Form 10-K (domestic companies) or Form 20-F (foreign private issuers) about their:
- Cybersecurity risk management policies and procedures
- Strategies for identifying and mitigating cybersecurity risks
- Board-level oversight of cybersecurity
- Management’s role and expertise in assessing and managing cybersecurity risk
- Previous material cybersecurity incidents and any updates to previously reported incidents
Effective Dates on the new rules
- Incident Reporting: The 4-day reporting rule is effective sometime around April 2024 for most companies. Smaller reporting companies have a slightly longer grace period.
- Annual Disclosures: Disclosures on cybersecurity risk management, strategy, and governance will become effective for fiscal years ending on or after December 15, 2023.
What Companies Should Do
- Assess Readiness: Review current cybersecurity programs, incident response plans, and disclosure practices.
- Identify Gaps: Find any areas where your company may not be meeting the new requirements and develop a plan to address them.
- Prepare Disclosures: Start drafting the required disclosures for inclusion in future annual reports.
- Board-Level Attention: Ensure board members are aware of their oversight responsibilities related to cybersecurity.
- Cross Team Collaboration: Coordinate between legal, IT, communications, finance, and other teams for efficient and comprehensive disclosure.
Important Considerations
- Materiality: Companies will need to exercise judgment when determining whether a cybersecurity incident is “material” and requires disclosure. The SEC provides guidance on this.
- Consistency: Disclosures should be consistent in format and content, allowing investors to easily compare cybersecurity practices between companies.
- Staying Updated: As the cybersecurity landscape evolves, companies need to adapt their risk management practices and disclosures accordingly.
About Author
