SEC Pulse Header NEW-1

SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies

Posted by Howard Berkenblit on July 26, 2023 at 3:23 PM

The SEC today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K (and for foreign private issuers in Form 6-Ks) any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material [note this may be later than the four business days after the incident itself]. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K or 20-F, as applicable.

The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. All registrants must tag disclosures required under the rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Topics: cybersecurity, SEC, risk management

SEC Proposes Rules on Cybersecurity Governance and Disclosure by Public Companies

Posted by Howard Berkenblit on March 9, 2022 at 4:08 PM

The SEC today proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

The proposed amendments would require, among other things, current reporting on a Form 8-K about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, as well as reporting when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.

The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any. The new disclosure would also need to be tagged with XBRL.

Topics: cybersecurity, Form 8-K

SEC issues guidance on cybersecurity disclosures

Posted by Howard Berkenblit on February 21, 2018 at 3:07 PM

The SEC posted today an interpretive release regarding its latest guidance public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.

The timing of the release was a bit unusual. Initially, the SEC was scheduled to consider the guidance at an open meeting on February 21st. It abruptly cancelled the meeting and instead put out a press release saying the interpretive guidance had been approved on February 20th. Sounds like the SEC may be having its own issues with disclosure controls and procedures!

Topics: cybersecurity, SEC, Securities and Exchange Commission, Regulation FD

Sullivan 4c

About the Blog


The SEC Pulse provides updates and commentary from our Capital Markets Group on issues affecting publicly traded and privately owned businesses, investment banks and foreign companies who trade or raise capital in the United States, and boards of directors and company officers in securities transactions and corporate governance matters.

The material on this site is for general information only and is not legal advice. No liability is accepted for any loss or damage which may result from reliance on it. Always consult a qualified lawyer about a specific legal problem.

Subscribe to Blog

Recent Posts

Posts by Topic

see all