The SEC (Securities and Exchange Commission) has adopted new rules on cyber security risk management, strategy, governance and incident disclosure.
The rules standardise cyber security disclosure requirements for public companies, investors, and market participants, and have two main components:
- Annual disclosure of cyber security risk management, strategy, and governance.
- Disclosure of material cyber security incidents.
These disclosures must be tagged in Inline XBRL (eXtensible Business Reporting Language).
Who do the rules affect?
The new SEC rules apply to domestic registrants and FPIs (foreign private issuers) subject to the reporting requirements of the Securities Exchange Act of 1934, and to BDCs (business development companies) as defined by the Investment Company Act of 1940.
What changes were introduced by the rules?
- Cyber security risk management, strategy, and governance disclosure
Item 106 is added to Regulation S-K, requiring registrants to disclose certain information about their cyber security risk management, strategy and governance in their annual Form 10-K reports.
Item 16K is added to Form 20-F, requiring FPIs to disclose certain information about their cyber security risk management, strategy and governance in their annual Form 20-F reports.
Both Item 106 and Item 16K require registrants to describe their processes for assessing, identifying and managing material risks from cyber security threats. They must also state whether any risks from cyber security threats, including as a result of any previous cyber security incidents, have materially affected or are reasonably likely to materially affect them.
Item 106 and Item 16K also require registrants to describe their board’s supervision of risks from cyber security threats, as well as their management’s role in assessing and managing material risks from cyber security threats.
- Material cyber security incident disclosure requirements
Item 1.05 is added to Form 8-K, requiring registrants to disclose any cyber security incident they determine to be material. They must disclose:
- The material aspects of the nature, scope, and timing of the incident
- The material impact or reasonably likely impact of the incident on them, including on their financial condition and operations
There is no obligation to disclose specific or technical information about the incident or its response if doing so would impede the registrant’s incident response or remediation.
Disclosure is due four business days after the registrant determines that the cyber security incident is material, although a limited delay is allowed if the United States Attorney General determines in writing that disclosure would pose a substantial risk to national security or public safety.
- Structured data requirements
Registrants must tag the disclosures made under the new rules in Inline XBRL.
When did they enter into effect?
The rules came into effect on September 5, 2023.
Compliance dates vary by the type of disclosure, with SRCs (smaller reporting companies) given a longer compliance period for incident reporting:
- Form 10-K and Form 20-F cybersecurity risk management, strategy, and governance disclosures
All registrants, including SRCs, must provide disclosures beginning with their annual reports for fiscal years ending on or after 15 December 2023.
- Form 8-K and Form 6-K material cybersecurity incident disclosures
Registrants that are not SRCs must begin complying by 18 December 2023.
SRCs must begin complying by 15 June 2024.
- Structured data requirements
All registrants, including SRCs, must begin tagging their Form 10-K and Form 20-F disclosures in Inline XBRL for fiscal years ending on or after 15 December 2024.
All registrants, including SRCs, must begin tagging their material cyber security incident disclosures in Inline XBRL by 18 December 2024.
How GRC Solutions can help you meet your SEC cyber security disclosure obligations
We are experts on information security, cyber security and cyber incident response management, and have been helping organisations around the world implement and maintain best practices for more than 20 years.
If you need help with your cyber security programme, or with identifying and responding to a cyber security incident – including reporting – we have everything you need.
Call us today to speak to one of our experts about how we can help you.
