This alert highlights recent updates to Securities and Exchange Commission (“SEC”) disclosure obligations effective for the 2024 Form 10-K and proxy statement season as well as other regulatory updates companies should consider. Note that the topics listed below include key SEC and stock exchange required updates and do not cover other updates that companies should take into consideration, such as voting guidelines of proxy advisory firms and institutional investors, which are beyond the scope of this alert.
The SEC has adopted disclosure rules addressing cybersecurity incidents as well as cybersecurity risk management, strategy, and governance, which included amendments to (i) Form 8-K through the addition of Item 1.05, (ii) Form 10-K through the addition of Item 106 to Regulation S-K, and (iii) Forms 6-K and 20-F, providing for generally parallel disclosure requirements for foreign private issuers (“FPIs”). Current report disclosures (Form 8-K and Form 6-K) were required beginning on Dec. 18, 2023, and smaller reporting companies (“SRCs”) are not required to comply with the current report requirement until June 15, 2024. All companies (including SRCs and FPIs) are required to include the periodic report disclosures, beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
Form 8-K Disclosure
New Item 1.05 to Form 8-K requires companies to describe, to the extent known at the time of filing, the material aspects of the nature, scope, and timing of a cybersecurity incident, and the material impact or reasonably likely material impact on the company, including on its financial condition and results of operations. Companies must also disclose whether information required by Item 1.05 has not been determined or is unavailable at the time of filing. If such information is not initially available, companies must subsequently file an amendment to the Form 8-K within four business days after determining such information or it becomes available. Due to substantial risks to national security or public safety, the SEC has allowed for filing delays (up to 30, 60 or 120 business days or more, subject to SEC approval) if the U.S. Attorney General (the “AG”) determines, and notifies the SEC in writing, that disclosure of a cybersecurity incident would pose such risks.
The SEC and several governmental agencies have recently provided additional guidance with respect to the implementation of Item 1.05 to Form 8-K. The SEC’s Division of Corporation Finance (the “Staff”) recently released new compliance and disclosure interpretations (“C&DIs”) regarding material cybersecurity incidents and Form 8-K filing delays, which are available here. Furthermore, on December 6, 2023, the Federal Bureau of Investigation (the “FBI”) published a Policy Notice to establish procedures by which the FBI will document cybersecurity incident delay requests. The full text of the FBI’s Policy Notice is available here. Additionally, on December 12, 2023, the Department of Justice (“DOJ”) outlined the process for companies to request that the AG authorize delays of cybersecurity incidents that would otherwise be required to be disclosed under Item 1.05 of Form 8-K. The full text of the DOJ guidelines are available here.
Read the full article here.