SEC Imposes New Cybersecurity Disclosure Requirements

DISCLOSING MATERIAL CYBERSECURITY INCIDENTS ON NEW ITEM 1.05 ON FORM 8-K

The new rules will require registrants to disclose any cybersecurity incident they determine to be material on Form 8-K’s new Item 1.05. They will also need to describe the material aspects of the incident’s nature, scope, and timing and its material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. Registrants must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days after such determination. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The rules require comparable disclosures by foreign private issuers on Form 6-K.

DISCLOSING CYBERSECURITY RISK MANAGEMENT, STRATEGY AND GOVERNANCE IN ANNUAL REPORTS

The new rules also add Regulation S-K Item 106, which will require registrants to describe:

• Their processes (if any) for assessing, identifying and managing material risks from cybersecurity threats.
• The material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
• The Board of Directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

These disclosures will be required in a registrant’s annual report on Form 10-K. The rules require comparable disclosures by foreign private issuers on Form 20-F.

IMPLEMENTATION 

The final rules will take effect 30 days following publication of the adopting release in the Federal Register. All registrants must tag the disclosures in Inline Extensible Business Reporting Language (Inline XBRL) beginning one year after initial compliance with the related disclosure requirement. Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. Form 8-K and Form 6-K disclosures will be due beginning 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later. Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or by June 15, 2024.

***

Staying on top of the ever-evolving legal landscape can be challenging. Creating an effective, comprehensive program for your organization requires a thorough understanding of relevant legal obligations, especially those subject to new SEC regulations that impact your cybersecurity programs. Our Global Privacy & Cybersecurity and Corporate & Transactional teams can help you navigate the various compliance requirements affecting your business, ensuring you remain secure and compliant.

If you have questions or need assistance, please contact your regular McDermott lawyer.

Heidi Hutchins and Morgan King, summer associates in the Washington, DC, office, also contributed to this article.