SEC Pulse Header NEW-1

SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies

Posted by Howard Berkenblit on July 26, 2023 at 3:23 PM
Find me on:

The SEC today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K (and for foreign private issuers in Form 6-Ks) any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material [note this may be later than the four business days after the incident itself]. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K or 20-F, as applicable.

The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. All registrants must tag disclosures required under the rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Topics: cybersecurity, SEC, risk management

Sullivan 4c

About the Blog


The SEC Pulse provides updates and commentary from our Capital Markets Group on issues affecting publicly traded and privately owned businesses, investment banks and foreign companies who trade or raise capital in the United States, and boards of directors and company officers in securities transactions and corporate governance matters.

The material on this site is for general information only and is not legal advice. No liability is accepted for any loss or damage which may result from reliance on it. Always consult a qualified lawyer about a specific legal problem.

Subscribe to Blog

Recent Posts

Posts by Topic

see all