New SEC rules released on July 26, 2023, require publicly listed companies to disclose material cybersecurity incidents they experience, and the material information regarding their cybersecurity risk management, strategy and governance annually. The new disclosure requirements take effect starting on or after December 15, 2023. The SEC’s objective is to standardize cybersecurity risk reporting to enable investor confidence and enhance executive/board level oversight of the cyber risk management function.

Cybersecurity Incident Disclosures

Material cybersecurity incidents should be disclosed within a period of four business days from the date materiality  was determined.

Cybersecurity Risk Management, Strategy & Governance Disclosures

These periodic disclosures outline methodologies for evaluation, identifying and mitigating cybersecurity risks.

Included in Disclosure(s)

• Description of incident’s material financial, operational or other impact
• Description of incident’s nature, scope and timing
• Description of any missing requirements in the event that information is not yet available for disclosure
• Description of processes for evaluating, recognizing and mitigating significant risks
• Description of how these processes have been integrated into a risk management framework
• Details of realized risks arising from prior material cybersecurity incidents, including impacts
• Description of processes for the cybersecurity program’s engagement with third-party consultants and auditors
• Description of processes for management/board

Key Challenges

• Understanding the definitions of cybersecurity incident and materiality
• Timely filing of SEC 8-K Cyber Incident Disclosures

Actions to Prepare and Comply

• Establish cyber risk quantification capability to support materiality assessments
• Conduct sample materiality assessments for mock incidents (i.e., tabletop exercise)
• Review disclosure controls and procedures
• Conduct an internal SEC readiness assessment

Overview

New SEC rules released on July 26, 2023, require publicly listed companies to disclose material cybersecurity incidents they experience, and provide material information regarding their cybersecurity risk management, strategy and governance annually.

All publicly listed companies are required to disclose details regarding a significant cybersecurity incident through the submission of Form 8-K within four business days from the moment they ascertain its materiality. This disclosure timeline may be extended up to 30-60 days, but only in cases where the U.S. attorney general determines that such disclosure could pose a significant threat to national security or public safety.

Entities must outline their methodologies for evaluating, identifying and mitigating cybersecurity risks, including insights into the board’s supervision and the involvement of management. The new disclosure requirements take effect starting on or after December 15, 2023. Smaller Reporting Companies (SRCs) must comply by June 15, 2024. The SEC’s objective is to standardize cybersecurity risk reporting to enable investor confidence and enhance executive/board level oversight of the cyber risk management function.

Sal Ansari

Managing Director, Cyber Risk Advisory

Coles Cotter

Legal Intern