New SEC Cybersecurity Rules Are Here: What Should Companies Be Doing to Comply?

Joseph Alley Jr., Leah Braukman, Jacqueline Cooney, Kevin Coy, Brian Teras
Arnall Golden Gregory LLP
Contact
LinkedIn
Facebook
X
Send
Embed

SEC Cybersecurity Rule Fact Sheet

What Is the New Rule?

In late July 2023, the SEC adopted new rules that will require publicly traded companies to:

  1. disclose cybersecurity incidents within four business days of determining the incident is material; and
  2. annually disclose information regarding cybersecurity risk management, strategy, and governance.

How Is This Different From the Previous Rules?

The rules expand on the SEC’s previously issued interpretive guidance from 2011 and 2018, in which the SEC expressed its view that existing disclosure obligations apply to cybersecurity risks and incidents. In the press release accompanying the SEC’s adoption of the new rules, SEC Chair Gary Gensler indicated that the purpose of the new rules is to provide transparency around companies’ cybersecurity measures. Gensler said that disclosures should be made “in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

What Are the New Disclosure Requirements?

Form 8-K – Cybersecurity Incident Disclosure: The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material, within four business days after determining the incident is material.

  • Compliance Deadline: Registrants must begin complying with this incident disclosure requirement starting on December 18, 2023. Smaller reporting companies will have until June 15, 2024 — an additional 180 days — before they must begin filing the new Form 8-K disclosure.

Form 10-K – Cybersecurity Governance Disclosure: The new rules will also require registrants to describe annually on Form 10-K, their processes for assessing, identifying, and managing material risks from cybersecurity threats and previous cybersecurity incidents, as well as the board of directors’ oversight of cybersecurity risk and management’s role in assessing and managing material risks from cybersecurity threats.

  • Compliance Deadline: The new Form 10-K disclosures will be required beginning with annual reports for fiscal years ending on or after December 15, 2023. Therefore, calendar-year companies must comply with the new rules in their annual reports for the fiscal year ended December 31, 2023, to be filed in the first quarter of 2024. All companies, including smaller reporting companies and emerging growth companies, must begin complying at this time.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP
Arnall Golden Gregory LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide