The amendments will require companies to report a cybersecurity incident on Form 8-K within four business days after the company determines the incident is material. Companies will be required to amend the Form 8-K to provide updated incident disclosure if any information called for in the initial Form 8-K is not determined or available at the time of the initial filing.
The new requirements extend beyond incident reporting to include information intended to enable investors to evaluate companies’ ability to manage and mitigate their cybersecurity risk and exposure. Companies will be required to describe in their Form 10-K reports their processes for assessing, identifying, and managing material risks from cybersecurity threats, including whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. Companies also will be required to describe the board’s role in overseeing cybersecurity risk and management’s role in assessing and managing the company’s material risks from cybersecurity threats.
The amendments will be effective on September 5, 2023. The amended rules apply to all companies filing reports with the SEC, including foreign private issuers as well as domestic registrants (with the exception of asset-backed issuers). Companies other than smaller reporting companies will first be required to provide the new Form 8-K disclosures beginning on December 18, 2023. Smaller reporting companies will have an additional 180 days to begin complying with the Form 8-K requirements. The Form 10-K disclosures will be due beginning with annual reports filed for fiscal years ending after December 15, 2023.
The SEC’s adopting release (Release No. 33-11216) can be viewed here and the fact sheet here.
Authored by Alan Dye (co-editor), Richard Parrino (co-editor), John Beckman, Kevin Greenslade, Ann Kim, Paul Otto, Peter Marta, Allison Holt Ryan, Brendan Oldham, and Spencer Leroux.