Skip to content
Fey LLC, Attorneys at Law
Cybersecurity & SEC

The SEC's Demanding Disclosure Obligations Take Effect in 12 Days: Overview of Key Compliance Obligations for Registrants Under the SEC's Cybersecurity Incident and Risk Management Standard

By Laura Fey and Blake Lines, Associate Attorney

On July 26, 2023, the Securities and Exchange Commission (SEC) adopted final rules requiring public companies to disclose material cybersecurity incidents and to make annual disclosures about their cybersecurity risk management, strategy, and governance. These demanding new rules take effect for most registrants on September 5, 2023, leaving companies with precious little time to prepare for compliance.

Disclosure of Material Cybersecurity Incidents

What Must Be Disclosed

Registrants must disclose any cybersecurity incident they determine to be material. The SEC defined “cybersecurity incident” broadly to include any unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of those systems or the information residing in them.

The Materiality Determination

The materiality standard is the same standard applied to other disclosure decisions: whether there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. The SEC declined to define materiality narrowly or to provide a bright-line test.

Timing: 4 Business Days

Once a registrant determines that a cybersecurity incident is material, it must disclose the incident on Form 8-K within four (4) business days of that determination. The clock does not start when the incident is discovered. It starts when the materiality determination is made.

The SEC created a limited exception: the U.S. Attorney General may authorize a delay in disclosure if immediate disclosure would pose a substantial risk to national security or public safety.

Required Content

The Form 8-K disclosure must describe:

  • The material aspects of the nature, scope, and timing of the incident
  • The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations

Registrants are not required to disclose technical information that would impede their response or provide a roadmap for future attacks.

Annual Disclosures: Risk Management, Strategy, and Governance

Risk Management and Strategy

In annual reports on Form 10-K, registrants must disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats, including:

  • Whether and how cybersecurity risk is integrated into the company’s overall risk management system
  • Whether the registrant engages assessors, consultants, auditors, or others in connection with cybersecurity
  • Whether the registrant has processes for overseeing and managing risks associated with third-party service providers

Governance Disclosures

Registrants must also disclose:

  • The board of directors’ oversight of risks from cybersecurity threats, including identification of any board committee responsible for this oversight
  • Management’s role in assessing and managing material risks from cybersecurity threats
  • Whether and how the registrant has in place processes for receiving information about cybersecurity threats from management

Registrants should take immediate steps to prepare for these new rules, including:

  1. Assess readiness: Evaluate existing incident response plans and disclosure protocols to identify gaps.
  2. Establish a materiality determination process: Create a clear process for making timely materiality determinations that involves appropriate legal, technical, and business stakeholders.
  3. Update disclosure controls: Ensure that cybersecurity incidents are escalated to those responsible for making disclosure decisions.
  4. Review board oversight: Assess current board-level oversight of cybersecurity and determine whether it meets the new disclosure standards.
  5. Prepare annual disclosure language: Draft Form 10-K cybersecurity disclosure language that accurately describes risk management processes and governance structures.
  6. Train key personnel: Train those involved in incident response, legal, and disclosure on the new requirements.

For more information on the SEC’s cybersecurity rules, visit the SEC’s press release.

#SEC#cybersecurity#disclosure#Form 8-K#public companies#compliance

Need privacy guidance?

Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.

Contact Us
Back to Insights