SEC Issues New Cybersecurity Rule, In Effect For December 31st Year End Companies

On July 26, 2023, the Securities and Exchange Commission issued the Final Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Cybersecurity Rule”). The Cybersecurity Rule requires public companies to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.

Companies are just starting to file their Form 10-Ks with their cybersecurity disclosures set forth in new Item 1(c) pursuant to new Regulation SK, Item 106.

New Regulation S-K Item 106 requires registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 also requires registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. (Emphasis mine.)

Foreign private issuers have similar disclosure obligations in new Item 16K of the Form 20-F.

Note that companies are enhancing their cybersecurity Risk Factors along with this new disclosure.

With respect to the annual Form 10-K and Form 20-F cybersecurity disclosures, all registrants (including Smaller Reporting Companies) must provide such disclosures beginning with their annual reports for fiscal years ending on or after December 15, 2023.

The disclosures being filed now touch on the following subjects:

  • Which entities within the company address cybersecurity risk (i.e., the senior management person who heads up the process; the Board of Directors; the Audit Committee, etc.).
  • Whether the company has a cybersecurity risk management policy approved by the Board of Directors (SRFC should be drafting such policies for clients);
  • What the cybersecurity risk management policy covers;
  • How often cybersecurity threats are assessed;
  • How the company manages the risks (e.g., end-user training, layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts).

See the Final Cybersecurity Rule here:

See the SEC Fact Sheet here:

See the SEC Small Entity Compliance Guide here: