Last July, the Securities and Exchange Commission adopted new cybersecurity rules placing disclosure requirements on registrants. The new regulations include obligations to disclose both cybersecurity incidents and policies for risk management, security strategy, and governance. Disclosures must be filed in Interactive Data File format for easy visualization to guide investor decision-making evaluations. Both domestic and foreign companies must file similar disclosures.
The new rules are now in effect and impact incident reports filed from December 18, 2023 and annual reports filed from fiscal years ending December 15, 2023. If you're an SEC registrant or a contractor for a covered company, here's what you need to know about the new cybersecurity disclosure requirements to stay compliant.
Impact:
The new SEC cybersecurity disclosure requirements significantly enhance transparency and investor confidence by mandating detailed reporting on cybersecurity incidents, risk management, strategy, and governance. Companies must now integrate cybersecurity into their overall risk management frameworks and ensure active oversight by their boards and management teams.
These regulations emphasize the importance of rapid incident detection, response, and communication, pushing companies to adopt more rigorous cybersecurity practices. Compliance can be challenging, especially for smaller firms, but solutions like Cobalt's Offensive Security services can help by proactively identifying and addressing vulnerabilities.
In essence, the new rules drive companies to strengthen their cybersecurity measures, protect their assets, and build greater trust with investors, ultimately enhancing their market reputation and valuation.
1. Cybersecurity Incident Disclosure: Form 8-K Item 1.05
The new SEC cybersecurity rules add cybersecurity incident disclosure requirements to Form 8-K. Form 8-K filings help notify investors of events that may impact shareholders or the SEC. The updated regulations introduce Item 1.05 for disclosure of material cybersecurity incidents.
Disclosure Requirements
Item 1.05 requires companies to disclose material cybersecurity incidents to the SEC within four business days of determining their materiality. Disclosures must describe the nature, scope, and timing of the incident and its impact on the registrant, including financial condition and operations.
Defining Material Cybersecurity Incidents
Incidents count as "material" when their disclosure would be highly likely to influence a reasonable stockholder's investment decision, or when it would have substantially altered the total mix of available information. Doubts about materiality should be resolved in the interest of investors.
Interactive Data File Format Requirements
Registrants must provide disclosure information in an Interactive Data File, a format, which displays data visually, per Rule 405 of Regulation S-T and the EDGAR Filer Manual.
Disclosure Delay Provisions
Disclosures must be made promptly after discovering incidents without unreasonable delay. However, there are provisions for exceptions.
When the Attorney General notifies the SEC that disclosure of an incident would risk national security or public safety, public disclosure may be delayed up to 30 days or longer. Such determinations must be communicated by the Attorney General to the SEC in writing.
In cases where the Electronic Code of Federal Regulations (eCFR) requires telecommunications companies to delay disclosure until consulting law enforcement, the SEC must still be notified at the time of the incident and disclosure can only be delayed no more than seven days after the delay provisions expire.
When required information is not available at the time of filing, registrants must indicate this in writing. When the information becomes available, an amendment must be filed within four business days.
Technical Details Not Required
Registrants don't need to disclose detailed or technical information about their response to cybersecurity incidents or their systems' vulnerabilities. Disclosures need not be so specific as to impede registrants' response or remediation of the incident.
2. Risk Management, Strategy, and Governance Disclosure: Regulation S-K Item 106
The new rules add disclosure requirements for risk management, security strategy, and governance to Regulation S-K. Regulation S-K prescribes how SEC registrants must disclose material qualitative descriptors of their companies on filings such as registration statements and periodic reports. The regulation now includes Item 106 addressing cybersecurity disclosures. Registrants must submit information in an Interactive Data File per Rule 405 of Regulation S-T and the EDGAR Filer Manual.
Item 106 includes disclosure requirements for two areas:
- Risk management and strategy
- Governance
Risk Management and Strategy
With respect to risk management and strategy, registrants must describe their processes for assessing, identifying, and managing material risks. Descriptions must be detailed enough so investors can understand them. Disclosures should cover:
- Whether and how cybersecurity processes have been integrated into overall risk management system or processes
- Whether registrants engage third parties in connection with such processes, such as assessors, consultants or auditors
- Whether registrants have processes to oversee and identify risks stemming from third-party providers
Registrants also must describe whether and how any cybersecurity risks, including results from previous incidents, have materially affected or are likely to affect their organization. This includes effects on business strategy, results of operations, or financial condition.
Governance
The governance requirements for Item 106 require registrants to describe their board of directors' oversight of cybersecurity risks. This includes identifying responsible members and describing the processes by which they are informed.
Registrants also must describe management's role in assessing and managing material risks from cybersecurity threats. This disclosure should cover whether management personnel are responsible for risk management, their expertise, the processes used, and whether they report risks to the board of directors.
3. Foreign Private Issuer Disclosure Requirements: Form 6-K, Form 20-F
The new regulations include parallel requirements for foreign private issuers. Cybersecurity incidence requirements have been added to Form 6-K, while risk management and security strategy and governance requirements have been added to Form 20-F.
Form 6-K
Form 6-K informs the SEC of information foreign registrants issue outside the United States. The form now requires registrants to include information about material cybersecurity incidents.
Form 20-F
Form 20-F provides the SEC with annual reporting from all foreign private issuers that do securities trading in the U.S. The form now includes risk management and strategy and governance requirements similar to Regulation S-K Item 106.
Registrants must describe their processes for assessing, identifying, and managing material risks. They must disclose whether and how any cybersecurity risks, including results from previous incidents, have materially affected or are likely to affect their organization.
Additionally, registrants must describe their board of directors' oversight of cybersecurity risks. Finally, they must disclose management's role in assessing and managing material risks from cybersecurity threats.
Rule Enactment Timeline
The SEC published its new rule in the Federal Register on August 4, 2023 and the updates went into effect 30 days later on September 5.
With the new regulations in effect:
- Form 10-K and Form 20-F disclosures became due beginning with annual reports for fiscal years ending on or after December 15, 2023.
- Form 8-K and Form 6-K disclosures became due beginning December 18, 2023.
- Smaller reporting companies had an additional 180 days before they had to begin providing the Form 8-K disclosure.
To meet structured data requirements, all registrants must tag disclosures in Inline XBRL beginning one year after initial compliance with related disclosure requirements.
Prevent Cybersecurity Incidents with Cobalt Offensive Security
Under the new SEC cybersecurity regulations, proactive security measures can help companies meet disclosure requirements and reduce incident reporting paperwork. Disclosing strong cybersecurity policies also improves investor relations by assuring stakeholders their investments are being protected.
Cobalt offers a variety of Offensive Security solutions ranging from penetration testing via a Pentest as a Service (PtaaS) platform to red teaming, secure code review, and more to help companies achieve compliance and protect their brand by identifying vulnerabilities before costly breaches occur.
The Cobalt Platform and community of experienced security experts empowers you to identify risks faster and scale your offensive security across your entire attack surface. Using our innovative pentesting approach, you can identify risks 2.6 times faster and remediate incidents 1.5 times faster than using traditional approaches. Tapping into our diverse pool of experts allows you to scale up your cybersecurity strategy without expanding your workforce.
Reassure your investors and reduce your SEC reporting workload by using our PtaaS services to strengthen your cybersecurity strategy. Connect with our team to get a demo and get started.