The new SEC cybersecurity rules (Release No. 33-11216), codify and build on earlier SEC guidance on cybersecurity risks and incidents and require specific cybersecurity-related disclosures.
The new requirements include:
Key Requirements
1. Public Disclosure of Cybersecurity Incidents: Beginning on December 18, 2023 (June 15, 2025 for smaller reporting companies), companies are required to disclose material cybersecurity incidents within 4 business days (as a new Item 1.05 of Form 8-K). This disclosure is triggered by a company’s determination that the incident is material to investors. Companies are required to make that determination as soon as reasonably practicable after the incident.
Once a cybersecurity incident is determined to be material, companies must disclose:
Companies may omit information not known at the time of filing and may omit information of a technical nature that could impede the company’s response or remediation. Companies may not, however, delay disclosure to mitigate harm to internal investigations or to facilitate external cooperation with law enforcement.
After disclosing a material cybersecurity incident, companies must provide periodic updates on that incident on Forms 10-K and 10-Q. These subsequent disclosures must include any series of immaterial cybersecurity incidents that have become material in the aggregate.
2. Public Disclosure of Company Policies and Governance: Beginning with annual reports for fiscal years ending on or after December 15, 2023, companies now must disclose on their Form 10-K:
3. Foreign Private Issuers: The substance of the foregoing disclosure requirements also applies to foreign private issuers.
Changes to SEC’s 2018 Guidance
The new rules codify much of the previous 2018 guidance, which most public companies are already following. For example, the 2018 guidance encouraged companies to develop cybersecurity risk management policies and procedures to enable disclosures and to disclose board cybersecurity risk oversight. The new rules take this guidance and strengthens it into required disclosures.
The new rules increase the burden of cybersecurity incident disclosures. In the 2018 guidance, the SEC expected companies to discuss cybersecurity incidents or risks if they would materially affect the company. The new rules create a fixed 4 business day deadline that requires a substantial amount of information to be included in disclosures of any material cybersecurity incident.
Takeaways
To be compliant with these new rules, companies should be prepared to address the following:
If you have any questions about these or related topics, please reach out to your Locke Lord contact or any of the authors.
The post Tighter SEC Cybersecurity Incident Disclosure Requirements Go into Effect Today appeared first on Capital Markets.
Visit our Capital Markets Blog for the latest news and developments.
Visit the blogSign up for our newsletter and get the latest to your inbox.