Public companies now must disclose certain information regarding material cybersecurity incidents and the company’s cybersecurity risk management, strategy, and governance, under a Final Rule adopted by the Securities and Exchange Commission (SEC) on July 26, 2023.
The Final Rule requires companies to disclose details concerning “material” cybersecurity incidents within four business days of determining that such an incident is “material.” These disclosures, which must be included on Forms 8-K and 6-K, must describe the nature, scope and timing of a cybersecurity incident – as well as its reasonably likely material impact on the registrant. Under the Final Rule, disclosure of a material cybersecurity incident may be delayed by up to 30 days if the U.S. Attorney General determines that disclosure would pose a substantial risk to national security or public safety.
Now more than ever public companies need to adopt proper cybersecurity incident response plans that reflect leadership’s discussions about what might be considered material for reporting purposes. Without such preparation, it will be extremely difficult for public companies to comply with the requirement that they disclose materiality findings within four business days.
Companies will have to comply beginning December 18, 2023, or within 90 days of the rule’s publication in the Federal Register, whichever is later. Smaller reporting companies will be afforded an extra 180 days to comply.
The new rules also require registrants to annually disclose on their Form 10-K information about the company’s cybersecurity strategies, risk management and governance practices, as well as information about their boards of directors’ oversight of – and their management’s role in assessing – cybersecurity-threat risks. These Form 10-K disclosures are due beginning with annual reports for fiscal years ending on or after December 15, 2023.
The SEC’s Final Rule, titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” can be viewed here.
PartnerKaren Painter Randall, formerly Certified by the Supreme Court of New Jersey as a Civil Trial Attorney and a partner at Connell Foley LLP, where she chairs the Cybersecurity, Data Privacy, and Incident Response Group. With extensive ...