SEC Adopts Cybersecurity Disclosure Rules

By Jed Weiner

In September 2023, the Security and Exchange Commission’s cybersecurity disclosure rules (“SEC Cyber Rules”) became effective. By December 18, 2023, companies other than small reporting companies  were required to comply with all of the Cyber Rules. Smaller reporting companies are required to comply by June 15, 2024.

The SEC Cyber Rules require public companies to disclose:

• on Form 8-K, material cybersecurity incidents within four (4) business days of the company’s determination that the cybersecurity incident is material.

• on an amendment to a prior Form 8-K, any required information regarding a cybersecurity incident that was not determined or was unavailable at the time of the initial Form 8-K.

• on Form 10-K, a description of processes, if any, for the assessment, identification and management of material risks from cybersecurity threats, and an assessment of cybersecurity risks that are reasonably likely to affect business strategy, results of operations or financial conditions “Annual Cyber Disclosures”.

• on Form 10-K, the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

For foreign private issuers, annual cyber disclosures are required in foreign private issuers’ annual reports on Form 20-F, and material cybersecurity incident disclosure are required to be reported on Form 6-K.

Companies should draft SEC Cyber Rule disclosure carefully as such disclosure may be scrutinized by investors and regulators. Companies should review their cybersecurity incident protocols to make sure they are consistent with SEC Cyber Rule disclosure. Disclosure should cover features of cybersecurity incidents and governance referred to in the SEC Cyber Rules.  

For more information about the Cyber Rules, contact Jed Weiner, grIP Founder and Head of Corporate at boutique DC law firm Mei & Mark jweiner@gripventure.com.