The Securities and Exchange Commission (SEC) recently adopted rules requiring registrants to disclose material cybersecurity incidents are now in effect. Here are a few highlights on the new disclosure requirements your organization, including Board members, need to know:
1. Incident Reporting: The SEC will now require organizations to disclose cybersecurity incidents that are materially important, even if they have not yet been fully investigated. This is a significant shift from the previous approach, which often required organizations to wait until investigations were complete before making disclosures. Specifically, a Form 8-K or 6-K filing:
- Generally must be completed within four business days after realization of a material cybersecurity incident.
- Includes nature of incident, impact of incident, steps company has taken to address incident and organization’s policies and procedures for managing cybersecurity posture.
- Does not require the organization to disclose specific or technical information about a planned response.
- These new reporting requirements begin December 18, 2023 for most public companies and June 15, 2024 for smaller reporting companies.
2. Periodic Reporting: Form 10-K filers (U.S. domestic public companies) and Form 20-F filers (foreign private issuers) disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. These forms require organization to disclose processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. They must:
- Provide sufficient detail for a reasonable investor to understand processes.
- Describe situations where any risk from threats have materially affected or are reasonably likely to materially affect the organization including business strategy, results of operations, or financial condition.
- Identify board of directors, committee, or subcommittee responsible for the oversight of risks of cybersecurity threats and describe processes by which boards or committees are informed of risks.
- Define management’s role in assessing and managing the organizations material risks from cybersecurity threats.
3. Materiality: Under the new rules, organizations must assess the materiality of cybersecurity risks and incidents. The concept of materiality is fundamental in accounting and auditing standards, and SEC rules also address the concept of materiality. Information is material when there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.
What does this mean for my organization?
We can help
The Elliott Davis Cybersecurity team can help! We work with organizations to develop cyber and data risk management strategies, as well as provide assessments to help organizations thwart cyber-criminals and adhere to regulatory requirements. Contact a team member today.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.