SEC Public Company Cybersecurity Disclosures
In July 2023, the Securities and Exchange Commission (SEC) implemented regulations requiring public companies to disclose material cybersecurity incidents and provide annual transparency regarding their cybersecurity risk management, strategy, and governance. The same disclosure requirements apply to Foreign Private Issuers (FPIs), ensuring greater transparency and accountability in how public companies address cyber risk.
Key SEC Disclosure Requirements
- Form 8-K Item 1.05: Requires public companies to report material cybersecurity incidents within four business days of determining materiality. Disclosures must include:Disclosures can be delayed at the direction of the Attorney General if immediate release would pose national security or public safety risks.
- Discovery date and status (ongoing or resolved)
- Detailed description of the incident’s nature and scope
- Business impacts (operational, financial, etc.)
- Remediation status
- Regulation S-K Item 106 and Form 10-K: Requires organizations to describe their processes for assessing and managing material cybersecurity threats in annual 10-K filings for fiscal years ending on or after December 15, 2023. Disclosures must include:
- Risks from incidents that have or could materially impact the organization
- Details on management’s involvement in risk assessment
- Board of directors’ oversight of cybersecurity risks
- Form 6-K, 20-F, and Foreign Private Issuers: FPIs must meet equivalent disclosure obligations. Form 6-K covers material incidents, while Form 20-F requires detailed annual information on cybersecurity governance, risk assessment, and board oversight.
Challenges for Organizations
Organizations may struggle to comply with SEC rules, especially the four-day incident reporting timeframe, if they lack comprehensive information security policies, governance structures, or incident response plans. Insufficient investment in understanding digital assets, data models, and vulnerabilities can impede timely and effective breach response. Companies without clearly defined executive or board-level cybersecurity governance may face challenges in demonstrating due diligence. The SEC’s cybersecurity rules highlight the urgency for public companies to invest in resilient, adaptive programs that include executive and board oversight.
