Yesterday the SEC issued final rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports.
These rules follow SEC interpretive guidance issued in 2011 and 2018 relating to public company cybersecurity disclosure. In the final rule, the Commission noted, “Overall, we remain persuaded that, as detailed in the Proposing Release: under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government … will not effectuate the level of public cybersecurity disclosure needed by investors in public companies.”
The final rules include the following requirements:
- Regulation S-K Item 106(b) – Risk Management and Strategy
o Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. - Regulation S-K Item 106(c) – Governance
o Registrants must:
▪ Describe the board’s oversight of risks from cybersecurity threats.
▪ Describe management’s role in assessing and managing material risks from cybersecurity threats. - Form 8-K Item 1.05 – Material Cybersecurity Incidents
o Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:
▪ Nature, scope, and timing; and
▪ Impact or reasonably likely impact.
o An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.
o Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing - Form 20-F
o Foreign Private Issuers must:
▪ Describe the board’s oversight of risks from cybersecurity threats.
▪ Describe management’s role in assessing and managing material risks from cybersecurity threats. - Form 6-K
o Foreign Private Issuers must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
NIRI encourages members interested in advocating on behalf of the investor relations profession to participate in its annual Legislative and Advocacy Fly-In which includes meetings with the SEC and Congress. The 2023 Legislative and Advocacy Fly-In will be held September 28-29 in Washington DC. More info and registration is available.
The final rules will become effective 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
Resources
- SEC Press Release: https://www.sec.gov/news/press-release/2023-139
- SEC Fact Sheet: https://www.sec.gov/files/33-11216-fact-sheet.pdf
- SEC Final Rule: https://www.sec.gov/rules/final/2023/33-11216.pdf
About NIRI: The Association for Investor Relations
Founded in 1969, NIRI is the professional association of corporate officers and investor relations consultants responsible for communication among corporate management, shareholders, securities analysts, and other financial community constituents. NIRI is the largest professional investor relations association in the world with members representing over 1,500 publicly held companies and $12 trillion in stock market capitalization