The SEC has announced that it is adopting rule amendments to improve and standardize disclosures for cybersecurity risk management, strategy, governance, and incidents by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. In particular, the SEC is adopting rules and rule amendments that will require current disclosure about material cybersecurity incidents.
The newly adopted amendments and rules concerning public company cybersecurity disclosures will:
add Regulation S-K Item 106, requiring registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects of risks from cybersecurity threats and previous cybersecurity incidents. Concerning Regulation S-K Item 106 and the comparable requirements in Form 20-F, registrants are required to provide these disclosures beginning with annual reports (10-K) for fiscal years ending on or after December 15, 2023.
require all registrants (other than smaller reporting companies) to begin providing the disclosures in Form 8-K Item 1.05 and in Form 6-K 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later
require all registrants, concerning structured data requirements, to tag disclosures required under the final rules in Inline eXtensible Business Reporting Language (Inline XBRL) beginning one year after initial compliance with the related disclosure requirement
allow smaller reporting companies an 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024.
The final rule will go into effect 30 days following its publication in the Federal Register.
For further details on the final rule, visit the SEC’s website.