New SEC cybersecurity risk required disclosures

cybersecurity laws from the SEC

by Jennifer F. Louis, CPA


In July 2023, the SEC issued a final rule related to cybersecurity disclosures. The objective is to have more timely disclosure of material cybersecurity incidents on Item 1.05 of Form 8-K. In addition, there are new annual required disclosures related to cybersecurity risk management, strategy, and governance in the annual report on Form 10-K. 

A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. 

Material cybersecurity incidents are required to be reported within four business days, with certain exceptions for national security or public safety. The determination of materiality is based on the definition used in federal securities laws.

If information is not determined or available at the time of required filing, a statement to that effect would be included in the Form 8-K filing. Then, the entity would file an amended Form 8-K within four business days after the information is determined or available. 

The Form 8-K will describe the material aspects of the nature, scope, and timing of the incident. Disclosures should include the material impact (or reasonably likely material impact) on the registrant, including on its financial condition and results of operations. 

The new rules apply to all SEC domestic registrants, with comparable requirements for foreign private issues filing on domestic forms. Registrants must begin complying with the requirement on Form 8-K or Form 6-K on December 18, 2023. Smaller Reporting Companies will have until June 15, 2024. All registrants are required to comply with the annual disclosure requirements beginning with annual reports for fiscal years ending on or after December 15, 2023.

Now Leaving

You are leaving the website. Once you click “continue,” you will be brought to a third-party website. Please be aware, the privacy policy may differ on the third-party website. Adtalem Global Education is not responsible for the security, contents and accuracy of any information provided on the third-party website. Note that the website may still be a third-party website even the format is similar to the website.