The U.S. Securities and Exchange Commission (“SEC”) has adopted new cybersecurity disclosure rules to require current disclosure about material cybersecurity incidents and periodic disclosures of: (i) registrants’ processes to assess, identity, and manage material cybersecurity risks, (ii) management’s role in assessing and managing material cybersecurity risks, and (iii) the board of directors’ oversight of cybersecurity risks.
New 8-K Item 1.05
Form 8-K has been amended to include a new Item 1.05, which requires disclosure to the SEC if a registrant experiences a cybersecurity incident that is determined by the registrant to be material. The registrant will be required to describe the material aspects of the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
The Item 1.05 8-K is required to be filed within four business days after the registrant concludes that the incident was material. The SEC’s adopting release noted that it will expect doubts about materiality to be resolved in favor of protecting investors. There is a provision to allow delayed reporting if the U.S. Attorney General concludes that disclosure would pose a substantial risk to national security or public safety.
SEC reporting companies (other than smaller reporting companies) will be required to make Item 1.05 disclosures beginning December 18, 2023, while smaller reporting companies will need to start complying on June 24, 2024. The same disclosure requirements apply to foreign private issuers on Form 6-K.
Additional Disclosure in Annual Reports
Beginning with the first annual report for a fiscal year ending on or after December 15, 2023, registrants will be required to report the following information required by new Item 1.06 of Regulation S-K:
- the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes;
- whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and, if so, how;
- a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats; and
- a description of the board of directors’ oversight of risks from cybersecurity threats including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or such committee is informed about such risks.
How We Can Help
Michael Best’s Privacy and Cybersecurity team can assist with identifying and assessing whether a cyber security incident has occurred and if it is material, including a written description that needs to be included in the report. Thereafter, the Securities & Capital Markets team at Michael Best has attorneys that can guide companies through preparation and filing of the new current and periodic disclosure requirements with the SEC.