The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives your organization approximately five months to confirm your compliance plans before the new disclosure requirements take effect in mid-December. 

The revisions from the proposed rule have streamlined the disclosure requirements in many ways, in response to more than 150 comment letters filed from issuers, investors, and other parties. 

The new rule: what it says, who’s responsible

The final rule requires that, in annual 10-K filings, companies add details describing their cyber program.

It also requires mandatory and speedier filing of Form 8-K for reporting material cybersecurity incidents to the SEC when they occur — within four days of determining that an incident is material. In the rule, cyber incident means an unauthorized occurrence (or series of related occurrences) on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

The rule provides for a series of extensions if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

SEC’s disclosure requirements for public companies….

  • Cyber Incident Reporting
    • Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination. 
    • Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant. To the extent required information is not determined or is unavailable at the time of the filing, the 8-K should include disclosure of this fact, and the 8-K should be later amended when the information is determined or becomes available. 
    • Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors.
  • Cyber Risk Management and Strategy
    • Describe the company’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including: 
      • Whether cybersecurity is part of the overall risk management program, engages consultants, auditors or other third parties, and processes to oversee and identify risks from use of third-parties.
      • Whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant’s business strategy, results of operations, or financial condition.
  • Cyber Governance
    • Describe the company’s governance of cybersecurity risks as it relates to:
      • The board’s oversight of cybersecurity risk, including identification of any board committee or subcommittee responsible for oversight and the process by which they are informed about cyber risks. 
      • Management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures and strategies. 
      • Specific disclosure of any management positions or committees responsible for assessing and managing cyber risks, including discussion of their relevant expertise.

Effective dates: The material incident disclosure requirements would be effective on or after December 18, 2023 (smaller reporting companies have a 180-day deferral). Disclosures for risk management, strategy and governance would be effective for all registrants for fiscal years ending on or after December 15, 2023. 

Goliath Cyber helping you navigate throughout your Cyber journey, giving you confidence that you are making the right decisions for your business!!!

To learn more…….


Comments are closed