In July 2023, the Securities and Exchange Commission (SEC) implemented regulations mandating that public companies reveal and report on material cybersecurity incidents they encounter. Additionally, companies are now obligated to disclose pertinent information annually concerning their cybersecurity risk management, strategy, and governance. Similar disclosure requirements have been extended to Foreign Private Issuers (FPIs) by the SEC. These regulations have been tasked with improving transparency in the form of consistent cybersecurity disclosures to stakeholders of public companies.
The newly required SEC cybersecurity disclosure can be found in Form 8-K Item 1.05, Regulation S-K Item 106, Form 10-K, Form 6-K, and Form 20-F. Compliance with the incident disclosure requirements in Form 8-K and in Form 6-K began on December 18, 2023. Smaller reporting companies have been given an additional 180 days and must begin complying with the Form 8-K disclosure requirements on June 15, 2024. Keep reading for more details.
SEC Form 8-K Item 1.05
SEC Form 8-K is the report that publicly traded companies must file to disclose significant events that shareholders should know about; the updated version of Form 8-K now includes item 1.05, used to disclose certain types of cybersecurity incidents. Item 1.05 of the 8-K covers the disclosure of information resulting from a cybersecurity incident if the incident is determined to be a material cybersecurity incident. Disclosure is required within four business days.
Information required:
- When the incident was discovered and if it is ongoing
- Description of the nature and scope of the incident
- Effect of the incident on the business (operations, financial, etc.)
- Whether the incident has been remediated or is in the process of being remediated
There is a caveat in place that the Attorney General can make the determination that if the disclosure poses a threat or risk to public safety or national security, it may be delayed.
Regulation S-K Item 106 and Form 10-K
Regulation S-K Item 106 establishes further cybersecurity risk disclosure requirements for public companies or registrants. The focus on regulation 106 is for companies to identify and describe their process (if it exists) for assessing and managing material risks from threats. This item includes documenting if there are risks from incidents that have or could materially affect the company. Item 106 additionally requires the company to disclose management’s role in risk assessment and the board of directors’ oversight pertaining to cybersecurity risks. These disclosures are required in annual reports for the fiscal year ending on or after December 15, 2023 on Form 10-K (Annual Report Pursuant to Section 10 or 15(d) of the Securities Exchange Act of 1934).
Form 6-K and 20-F and Foreign Private Issuers
These two forms will require that Foreign Private Issuers (FPIs) are held to the same disclosures as domestic companies. Form 6-K (Report of Foreign Private Issuer Pursuant to Rule 13a-16 or 15d-16 under the Securities Exchange Act of 1934) provides details about material cybersecurity incidents occurring in a foreign jurisdiction. Form 20-F highlights the responsibility of the Board’s oversight related to cyber security and management’s role pertaining to managing and assessing risks. Form 20-F is the same type of disclosure required for domestic companies outlined in S-K Item 106.
Potential Challenges for Organizations
The new SEC cybersecurity rules may pose significant challenges for organizations that have fallen behind in developing comprehensive information security policies, procedures, and governance programs. Companies without dedicated information security teams and incident response plans may struggle to meet the four-day reporting requirements following a cybersecurity incident.
Similarly, organizations that have not invested in fully understanding and documenting their systems, data models, and potential vulnerabilities could have difficulty efficiently responding to and recovering from data breaches.
Most critically, organizations without clear governance models, including clearly articulated roles and responsibilities related to risk assessment, threat detection, and ongoing maintenance of defense often lack the capacity to take a strategic and organization-wide approach to cybersecurity. As cyber threats continue to evolve at a rapid pace, companies without mature and adaptable programs anchored by executive leadership and board oversight will have a challenging time demonstrating due diligence to investors and regulators. The new SEC cybersecurity disclosure requirements underscore the need for all public companies to devote time, resources, and energy to strengthen and maintain their information security programs.