The US Securities and Exchange Commission (SEC) has introduced new rules that mandate public firms, especially tech companies, to disclose or report cybersecurity breaches within four days.
The regulations also require annual disclosure of critical information about their cybersecurity risk management, strategy, and governance. Additionally, foreign private issuers are obliged to make similar disclosures.
Analyists at the National Cybersecurity & Communications Integration Center (NCCIC) prepare for Cyber Storm III during a media session at their headquarters in Arlington, VA, September 24, 2010. Cyber Storm III is NCCIC's capstone national-level cybersecurity exercise.
SEC Orders Cybersecurity Disclosures of Tech Companies
SEC Chair Gary Gensler emphasized the importance of consistent and comparable cybersecurity disclosure, citing its material impact on investors and companies.
With the new rules in place, both investors and firms are expected to benefit from a more streamlined and decision-useful disclosure process, ultimately fostering stronger and more secure markets.
"Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way," Gensler said in a statement.
"Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
The newly introduced Regulation S-K Item 106 will mandate registrants to describe their processes for assessing, identifying, and managing material cybersecurity risks, including the effects of such risks and previous cybersecurity incidents.
It will also require details about the board of directors' oversight of cybersecurity risks and management's expertise in handling them in a registrant's annual report on Form 10-K.
Foreign private issuers will also be subject to similar disclosure requirements. They must make comparable disclosures on Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
SEC Final Rules
The final rules will take effect 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due for fiscal years ending on or after December 15, 2023.
The Form 8-K and Form 6-K disclosures will be due either 90 days after the date of publication in the Federal Register or by December 18, 2023, whichever is later.
Smaller reporting companies are granted an extended period of 180 days to submit the Form 8-K disclosure. Additionally, all registrants must comply with the requirement to tag the necessary disclosures in Inline XBRL one year after their initial compliance with the related disclosure requirement.
By implementing these new rules, the SEC aims to enhance transparency and ensure that cybersecurity incidents are promptly reported, providing investors with crucial information for making well-informed decisions.
The measures are expected to elevate cybersecurity risk management practices and underscore the importance of safeguarding sensitive information in today's increasingly interconnected digital landscape.
Related Article: SEC Investigates SolarWinds' Largest Investors After They Sell $315 Million Shares Before the Massive Attack
