The new SEC deadlines related to cybersecurity disclosures are rapidly approaching. These requirements will affect public companies across all industries and relate to:
- Cybersecurity Risk Management
- Strategy
- Governance
- Incident Disclosures.
Here are 5 things you need to know ahead of these deadlines:
1 | Cybersecurity
Public companies (and foreign private issuers) are required to disclose any material cybersecurity incident and describe the material aspects of the incident’s nature, scope, and timing along with its material impact or likely material impact on the company. This will be filed in a Form 8-K to be filed within four business days after the company has determined that a material incident has occurred.
2 | Form 10-K
The rules also add a new requirement in Form 10-K requiring companies to describe their processes (if any) for the assessment, identification, and management of material risks from cybersecurity threats, and whether any risks from cybersecurity threats have or are reasonably likely to materially affect the entity’s strategy, operating results, or financial condition.
3 | Risk Oversight
The Board’s oversight of risks from cybersecurity must be disclosed along with a description of management’s role and expertise in assessing and managing material risks from cybersecurity threats.
You Should Know
These disclosures are also required in the Form 10-K.
4 | Deadlines
The 8-K requirement is effective as of December 18, 2023, while the Form 10-K requirements are effective for fiscal years ending on or after December 15, 2023.
5 | Cross-Functionality
These requirements will involve a cross-functional team in a company (Legal, IT, Internal Audit, Risk Management, Finance and Accounting, Board of Directors)
For more information regarding how you can prepare your business for these and other disclosure requirements, click here.