New SEC cybersecurity risk required disclosures
by Jennifer F. Louis, CPA
In July 2023, the SEC issued a final rule related to cybersecurity disclosures. The objective is to have more timely disclosure of material cybersecurity incidents on Item 1.05 of Form 8-K. In addition, there are new annual required disclosures related to cybersecurity risk management, strategy, and governance in the annual report on Form 10-K.
A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Material cybersecurity incidents are required to be reported within four business days, with certain exceptions for national security or public safety. The determination of materiality is based on the definition used in federal securities laws.
If information is not determined or available at the time of required filing, a statement to that effect would be included in the Form 8-K filing. Then, the entity would file an amended Form 8-K within four business days after the information is determined or available.
The Form 8-K will describe the material aspects of the nature, scope, and timing of the incident. Disclosures should include the material impact (or reasonably likely material impact) on the registrant, including on its financial condition and results of operations.
The new rules apply to all SEC domestic registrants, with comparable requirements for foreign private issues filing on domestic forms. Registrants must begin complying with the requirement on Form 8-K or Form 6-K on December 18, 2023. Smaller Reporting Companies will have until June 15, 2024. All registrants are required to comply with the annual disclosure requirements beginning with annual reports for fiscal years ending on or after December 15, 2023.