{"id":2678,"date":"2023-07-27T11:58:35","date_gmt":"2023-07-27T15:58:35","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2678"},"modified":"2023-07-27T11:58:40","modified_gmt":"2023-07-27T15:58:40","slug":"sec-adopts-new-cybersecurity-rules","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/sec-adopts-new-cybersecurity-rules\/","title":{"rendered":"SEC Adopts New Cybersecurity Rules"},"content":{"rendered":"

On July 26, 2023, the SEC adopted a Final Rule<\/a> significantly expanding cybersecurity disclosure requirements.\u00a0 The rule adds Item 1.05 to Form 8-K to disclose material cybersecurity incidents and new Item 106 to Regulation S-K to require annual disclosures about cybersecurity governance, risk management and strategy in Form 10-K.\u00a0 Similar changes have been made to Forms 20-F and 6-K for Foreign Private Issuers.<\/p>\n

The transition for the new Item 1.05 Form 8-K and related Form 6-K disclosures is the later of 90 days after the date of publication of the Final Rule in the Federal Register or December 18, 2023.\u00a0 Smaller reporting companies have an additional 180 days for the Form 8-K changes.<\/p>\n

The transition for the new annual report disclosures on Form 10-K and Form 20-F is for fiscal years ending on or after December 15, 2023.<\/p>\n

The new disclosures must be tagged with iXBRL beginning one year after the initial disclosure requirements.<\/p>\n

New Form 8-K Item 1.05 <\/u><\/strong><\/p>\n

Item 1.05 requires disclosure of a cybersecurity incident within four days of a company determining that a cybersecurity incident has occurred and is material.\u00a0 General Instruction B.1. to Form 8-K now states:<\/p>\n

A report pursuant to Item 1.05 is to be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident.<\/p>\n

Disclosure on Form 8-K may be delayed if the \u201cUnited States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.\u201d\u00a0 In this case the U.S. Attorney general must notify the SEC in writing.<\/p>\n

The instructions to Form S-3 have been amended to add the Item 1.05 Form 8-K to the list of 8-Ks where late filing does not affect Form S-3 eligibility.<\/p>\n

The Instructions for the new Item are:<\/p>\n

Item 1.05 Material Cybersecurity Incidents. <\/strong><\/p>\n

(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.<\/p>\n

The instructions also state:<\/p>\n

A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant\u2019s response or remediation of the incident.<\/p>\n

Similar changes are made to Form 6-K.<\/p>\n

New Form 10-K Disclosures<\/u><\/strong><\/p>\n

Cybersecurity disclosures will be presented in new Item 1.C. in Part I of Form 10-K.\u00a0 The following has been added to the instructions to the Form:<\/p>\n

Part I
\n<\/strong>**** *
\nItem 1C. Cybersecurity.
\n<\/strong>(a) Furnish the information required by Item 106 of Regulation S-K (\u00a7 229.106 of this chapter).<\/p>\n

New S-K Item 106 defines various terms and requires disclosures in two main areas:<\/p>\n