The SEC adopts new rules


US-based government oversight agency SEC has adopted new rules on cybersecurity, strategy, governance, and incident disclosure by public companies

US-based government oversight agency SEC has adopted new rules on cybersecurity, strategy, governance, and incident disclosure by public companies. The Securities and Exchange Commission’s (SEC) new regulations oblige registrants to reveal the material cybersecurity incidents that they experience and, on an annual basis, to disclose details regarding their cybersecurity risk management, strategy, and governance.

Apart from this, the SEC also adopted similar rules addressed to foreign private issuers. As stated in the official statement by an official from the SEC, the new regulations were imposed as a means to encourage transparency. The SEC representative further added that currently, public companies offer cybersecurity disclosure to investors.

However, he emphasised that the new rules, which aim to facilitate the disclosure of relevant cybersecurity information by companies, would be beneficial to investors, companies, and the interconnected markets. More details about the new regulations Alongside the new regulations, the SEC introduced Item 1.05 of Form 8-K for which the typical deadline for submission will be four business days after a registrant determines that a cybersecurity incident is material. The disclosure might be subject to delay if the United States Attorney General considers that immediate disclosure would present a significant threat to national security or public safety.

In these circumstances, the United States Attorney General has to notify the Commission of such determination in writing. The SEC has further introduced Regulation S-K Item 106, which reportedly requires registrants to describe the process they have undergone to assess, identify, and manage material risks caused by cybersecurity threats, as well as the material effects or risks that are reasonably likely to have a material effect caused by cybersecurity threats and previous cybersecurity incidents. Apart from this, Item 106 additionally requires registrants to describe the board of directors’ oversight of risks from cybersecurity threats as well as the management’s role and expertise in assessing and managing material risks from cybersecurity threats.

These disclosures will be mandatory in a registrant's annual report on Form 10-K. Comparable disclosures are mandated by the rules for foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. Adoption timeline for the new rules According to the official statement, the final rules are to be effective 30 days after the publication of the adoption release in the Federal Register.

The Form 10-K and Form 20-F disclosures will be due starting with annual reports for fiscal years ending on or after December 15, 2023. Moreover, the commencement of the due date for Form 8-K and Form 6-K disclosures will start the later of  90 days after the date of publication in the Federal Register or December 18, 2023. As outlined in the announcement, smaller companies will be granted an additional 180 days before they must start providing the Form 8-K disclosure.

Regarding compliance with the structured data requirements, all registrants are required to tag the necessary disclosures under the final rules in Inline XBRL starting one year after the initial compliance with the relevant disclosure requirement. .


Jul 28, 2023 09:15
Original link