Alerts

SEC Adopts Final Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted new final rules and form amendments (the “Rules”) addressing cybersecurity incidents as well as cybersecurity risk management, strategy, and governance. The Rules are designed to enhance and standardize the cybersecurity-related disclosure required by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The Rules will apply to companies that file on Forms 8-K and 10-K (“Domestic Filers”), including smaller reporting companies, as well as foreign private issuers that file on Forms 6-K and 20-F (“FPIs”).

The Rules include amendments to (i) Form 8-K through the addition of Item 1.05, (ii) Form 10-K through the addition of Item 106 to Regulation S-K and (iii) Forms 6-K and 20-F, providing for generally parallel disclosure requirements for FPIs. Notably, in response to comments, the SEC scaled back a number of the disclosure requirements that were described in the proposed rules. Nevertheless, we expect that the new rules will be challenging for public companies to comply with—especially the requirement to report material cybersecurity incidents within four business days.

Domestic Filers, including smaller reporting companies, and FPIs will be required to include the periodic report disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. Current report disclosures (Form 8-K and Form 6-K) will be required beginning the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023. However, smaller reporting companies will be allowed an additional 180 days for current report disclosures on Form 8-K; which, at the latest, would be by June 15, 2024.

Read the full article here.