The SEC has enforced new rules requiring registered entities to divulge significant cyber incidents and to annually disclose substantial information regarding their cybersecurity risk management, strategy, and governance.
This mandate extends to foreign private issuers who are now obliged to make similar disclosures.
SEC Chair Gary Gensler believes that investors and companies alike will profit from more systematic and comparable cybersecurity disclosures. The new directives aim to safeguard investors and the marketplace by ensuring the provision of crucial cybersecurity information.
Registrants will need to disclose any material cybersecurity incident under the new Item 1.05 of Form 8-K, outlining the incident’s scope, nature, and timing, and its significant impact or probable significant impact on the registrant. In specific cases, disclosure may be postponed if immediate exposure could significantly threaten national security or public safety.
The new rules also introduce Regulation S-K Item 106, obligating registrants to explain their procedures for evaluating, identifying, and managing cybersecurity threats and risks, including the oversight role of the board of directors and the role and expertise of management. Foreign private issuers must also provide equivalent disclosures via Form 6-K and Form 20-F.
Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”