SEC tightens cyber disclosure timing

Public companies now face a four-business-day clock to report a material cyber incident after deciding it is material. (sec.gov) The Securities and Exchange Commission adopted the rule on July 26, 2023, and the incident-reporting requirement took effect for most registrants on December 18, 2023. Smaller reporting companies got an extra 180 days, pushing their compliance date to June 15, 2024. (sec.gov) The filing goes on Form 8-K under Item 1.05 and must describe the material aspects of the incident’s nature, scope and timing, plus the material impact or reasonably likely material impact on the company’s finances and operations. Foreign private issuers face parallel requirements on Form 6-K and Form 20-F. (sec.gov) The rule also added Item 106 to Regulation S-K, which requires annual disclosures in Form 10-K about a company’s processes for assessing and managing cyber risk, whether those risks have materially affected strategy or results, and how management and the board oversee the issue. The final version dropped a proposed requirement to name directors with cybersecurity expertise. (ecfr.gov) The timing fight is not about when a hack starts. It is about when the company determines the incident is material, a securities-law threshold tied to what a reasonable investor would consider important. (sec.gov) That distinction has produced new SEC guidance. On May 21, 2024, Erik Gerding, then director of the Division of Corporation Finance, said companies that disclose an incident before reaching a materiality decision should usually use another Form 8-K item, such as Item 8.01, rather than Item 1.05. (sec.gov) On June 24, 2024, SEC staff added five more Compliance and Disclosure Interpretations focused on ransomware scenarios, including how a ransom payment, business interruption and insurance recovery can affect the materiality analysis. The guidance did not create a safe harbor from making that judgment quickly. (mofo.com) Companies can delay public disclosure only in a narrow case: if the U.S. attorney general notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. The SEC said that exception was added after comments warning that automatic early disclosure could aid threat actors or disrupt law enforcement. (sec.gov) The rule sits on top of earlier SEC guidance from 2011 and 2018, but it replaced a looser, principles-based approach with set forms, deadlines and line items. That has pushed breach response, legal review, investor relations and board reporting onto the same timetable. (sec.gov) For boards and audit committees, the practical question is no longer whether cyber risk belongs in securities filings. It is whether the company can decide materiality, draft a disclosure and document oversight before the four-day clock runs out. (sec.gov)