SEC cyber disclosure

Public companies now have to tell investors about material cyber incidents on a tight federal clock, and explain who inside the company is in charge of cyber risk. (sec.gov) The Securities and Exchange Commission adopted the rules on July 26, 2023. For most issuers, the incident-reporting requirement began with cyber incidents occurring on or after December 18, 2023; smaller reporting companies got until June 15, 2024. (sec.gov) (federalregister.gov) A company that decides an incident is material generally has four business days to file a Form 8-K under Item 1.05. The filing must describe the incident’s nature, scope, and timing, plus its material impact or reasonably likely impact. (sec.gov 1) (sec.gov 2) The deadline starts after the company determines materiality, not when it first detects the intrusion. The rule says that determination must be made “without unreasonable delay,” using the same investor-focused materiality standard that applies in other securities disclosures. (sec.gov) The annual-report side of the rule reaches further than breach notices. Regulation S-K Item 106 requires companies to describe how they assess, identify, and manage material cyber risk, what effects those risks have had or are reasonably likely to have, and how the board and management oversee the issue. (sec.gov 1) (sec.gov 2) Those annual disclosures started with Form 10-K reports for fiscal years ending on or after December 15, 2023. Foreign private issuers face parallel requirements on Form 6-K for incidents and Form 20-F for annual governance and risk disclosures. (federalregister.gov) (sec.gov) The final rule dropped one idea from the 2022 proposal: companies do not have to name a board “cyber expert.” The Commission instead settled on disclosure about board oversight and management’s role and expertise. (sec.gov 1) (sec.gov 2) The Commission also built in a narrow delay for national security or public safety. If the U.S. attorney general notifies the SEC in writing that immediate disclosure would create a substantial risk, the filing can be postponed for a limited period. (sec.gov) (sec.gov) In May 2024, Erik Gerding, then director of the SEC’s Division of Corporation Finance, told companies not to use Item 1.05 for incidents that are still being assessed or that they consider immaterial. He said those updates can go under another Form 8-K item, such as Item 8.01, and a company should switch to Item 1.05 within four business days if it later decides the incident is material. (sec.gov) For legal, finance, and security teams, the practical burden sits between the hack and the filing. Companies need logs, escalation rules, and audit trails that can show when an incident was discovered, who assessed it, when it became material, and how that judgment was reached. (sec.gov) (sec.gov) The rule did not turn every cyber event into an automatic securities filing. It turned the material ones into a disclosure question with a deadline, and it put boards, executives, and incident-response records inside that answer. (sec.gov) (sec.gov)