SEC Adopts New Cybersecurity Rule for Public Companies

What does the new SEC Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule mean for public companies?

The Security and Exchange Commission (SEC) formally adopted the Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule on July 26, 2023, following the public comment period.

The final rule is designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and material cybersecurity incidents from public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

SEC Public Company Cybersecurity Rule – Material Incident Disclosure

The new rule requires registrants to disclose, on the new Item 1.05 of Form 8-K, any cybersecurity incident determined to be material and to “describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”

An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

The final ruling did note that exceptions for reporting timeframes may be made if the “United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”

SEC Public Company Cybersecurity Rule – Regulation S-K Item 106

The new rule also adds Regulation S-K Item 106, which requires public companies to disclose information on their cybersecurity risk management, strategy and governance plans in their annual report on Form 10-K in an effort to provide more transparency to investors. The new disclosures required on Form 10-K include:

• Whether and how the described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes;
• Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
• Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
• A description of the board’s oversight of risks from cybersecurity threats and, if applicable, the identification of any board committee or subcommittee responsible for such oversight and a description of the processes by which the board or committee is informed about such risks.
• A description of management’s role in assessing and managing material risks from cybersecurity threats.

SEC Public Company Cybersecurity Rule – Timeline and Key Dates

According to the SEC press release, the final rules will become effective 30 days following publication of the adopting release in the Federal Register, with key disclosure deadlines as follows:

• The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
• The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
• Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.

While not all of the proposed rules were adopted as part of the final ruling, the SEC is optimistic that the new rule will have a positive impact for investors in the public space. 

“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” said SEC Chair Gary Gensler. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

How Can Schneider Downs Help?

The Schneider Downs Cybersecurity Team can help your organization be better prepared to meet the new disclosure demands from the SEC. If you have any questions about the new SEC cybersecurity disclosure and incident reporting requirements, please contact our team at [email protected].

Related Links

• SEC Press Release – SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
• SEC Fact Sheet – Public Company Cybersecurity Disclosures; Final Rules
• SEC Final Rule – Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

About Schneider Downs Cybersecurity

The Schneider Downs Cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit www.schneiderdowns.com/cybersecurity.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.