SEC Adopts New Rules on Cybersecurity Reporting and Disclosure

New cybersecurity reporting and disclosure requirements that the Securities and Exchange Commission (SEC) published in August have taken effect this month. Specifically, these disclosure requirements affect public companies. The requirements will standardize and enhance these companies’ disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents. Note that cybersecurity risks can affect all businesses, not just public companies. Furthermore, cybersecurity breaches can have consequences for employers under state and federal laws. In February 2023, a non-profit health organization paid $1.25 million when a cybersecurity breach compromised data that was covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Reporting Under the Securities Exchange Act of 1934

Under the Securities Exchange Act of 1934 and current SEC reporting rules, covered companies must file annual reports on Form 10-K. Briefly, Form 10-K discloses specific financial and other information about the company. It provides a detailed overview of the company’s financial condition and includes audited financial statements. Additionally, companies must complete Form 8-K to report specific major events that shareholders should know about. Often, companies must file Form 8-K within four business days of a qualifying event. Events that trigger the need to file include:

• filing bankruptcy;
• personnel changes;
• asset acquisition or reacquisition; and
• the outcome of a shareholder vote.

New Requirements for Cybersecurity Reporting and Disclosure

The SEC’s final rule adds new cybersecurity reporting requirements to the annual Form 10-K filing. These requirements include disclosing details describing a company’s cybersecurity program. The rules also require mandatory and expedited reporting of material cybersecurity incidents on Form 8-K within four days of a material incident. Covered companies must also provide updates on previously reported cybersecurity incidents within future periodic cybersecurity reporting. Additionally, covered companies now need to provide the following:

• periodic disclosures about processes to assess, identify, and manage material cybersecurity risks;
• management’s role in assessing and managing material cybersecurity risks; and
• how the board of directors oversees cybersecurity risks.

Lastly, the final rules now require companies to present cybersecurity reporting and disclosure in Inline eXtensible Business Reporting Language (Inline XBRL). Inline XBRL is a universally preferred filing format for transmitting information on the internet. It is primarily used to communicate financial information between companies and analysts, investors, and regulators.

Final Rule Effective Dates

The SEC published the final rules on cybersecurity reporting on August 4th, 2023. These rules took effect on September 5th, 2023. Companies must provide incident-specific disclosures beginning 90 days after the rules’ publishing date of August 4 or December 18th, 2023, whichever is later. However, smaller public companies have an additional 180 days to comply. Finally, if a company’s fiscal year ends on or after December 15, they must provide annual disclosures beginning with their 2023 Form 10-K.