From Compliance to Confidence: SEC’s New Cybersecurity Rules

Originally published by BigID.

Written by Neil Patel, Director of Product Marketing, BigID.

SEC’s New Cybersecurity Regulation

The Securities and Exchange Commission (SEC) has adopted new rules that require companies to disclose material cybersecurity incidents and information about their cybersecurity risk management, strategy, and governance. This aims to provide investors with consistent and comparable information to make informed decisions. The rules apply to both domestic and foreign private issuers. The new regulations will become effective 30 days after publication in the Federal Register, with disclosure deadlines starting for fiscal years ending on or after December 15, 2023.

The Significance of SEC’s New Rules

The new rules are crucial in enhancing transparency and accountability in the financial markets regarding cybersecurity incidents. By requiring companies to disclose such incidents and their risk management approaches, investors can better understand the potential impact of cybersecurity threats on a company’s operations and financial performance.

Who the SEC’s New Rules Affect

The rules are targeted towards publicly-traded companies registered with the SEC, including both domestic and foreign private issuers. These companies are required to make the specified cybersecurity disclosures in their annual reports and on Form 8-K (for material incidents) or Form 6-K (for foreign private issuers) as per the provided timelines.

List of SEC’s New Rules

Rule 1: Disclosure of Material Cybersecurity Incidents

• Registrants must disclose any material cybersecurity incidents they experience.
• The disclosure should include the material aspects of the incident’s nature, scope, timing, and its material impact or reasonably likely material impact on the registrant.
• The disclosure must be made on the new Item 1.05 of Form 8-K.
• Generally, the Form 8-K disclosure is due four business days after the registrant determines the cybersecurity incident is material.
• Disclosure may be delayed if immediate disclosure would pose a substantial risk to national security or public safety.

Rule 2: Disclosure of Cybersecurity Risk Management, Strategy, and Governance

• Registrants must disclose material information about their processes for assessing, identifying, and managing material risks from cybersecurity threats.
• They must also disclose the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
• The disclosure must describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing these risks.
• This disclosure is added as Regulation S-K Item 106 and is required in a registrant’s annual report on Form 10-K.

Rule 3: Comparable Disclosures for Foreign Private Issuers

• Foreign private issuers are also required to make comparable disclosures for material cybersecurity incidents on Form 6-K.
• They must also provide disclosures regarding cybersecurity risk management, strategy, and governance on Form 20-F.

Rule 4: Effective Date and Deadlines:

• The final rules will become effective 30 days following publication in the Federal Register.
• Form 10-K and Form 20-F disclosures will be due for fiscal years ending on or after December 15, 2023.
• Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
• Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
• Registrants must tag the disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Cybersecurity Incident Vs. Breach

Cybersecurity (or security) incidents and data breaches are sometimes used interchangeably. While any sort of data breach is considered a significant security incident, not every security incident involves a data breach. A security incident is any event that potentially harms a computer system or network. It could be an attempted cyber-attack, a virus infection, or unauthorized access to data. A data breach, on the other hand, is a specific type of security incident where sensitive or confidential information is accessed, disclosed, or stolen without authorization. The SEC’s new rules require disclosure of any material cybersecurity incidents, including but not limited to data breaches.