In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring that public companies report material cybersecurity incidents under new Item 1.05 of Form 8-K, and disclose information regarding their cybersecurity risk management, strategy, and governance in annual reports on Form 10-K. Foreign private issuers are subject to similar disclosure requirements in Forms 6-K and 20-F. Although the final rules were effective this past September, the SEC provided for transition periods for compliance with the new disclosure requirements, which transition periods will end soon.
Material Cybersecurity Incident Reporting. Companies (other than smaller reporting companies) will be required to comply with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K starting on December 18, 2023. Smaller reporting companies will have an additional 180 days to comply, and thus must begin complying with the incident disclosure requirements on June 15, 2024. All companies will need to begin tagging these disclosures in Inline XBRL starting on December 18, 2024.
As a reminder, subject to limited exceptions, companies will be required to disclose information relating to a cybersecurity incident within four business days after the company determines that the incident is material, which determination must be made without unreasonable delay following discovery of the incident. For more information on these disclosure requirements, please see our Client Alert.
Cybersecurity Risk Management, Strategy, and Governance. Companies (including smaller reporting companies) will be required to provide the cybersecurity risk management, strategy, and governance disclosures in annual reports for fiscal years ending on or after December 15, 2023. For calendar-year companies, these disclosures will be required in their upcoming annual reports for the fiscal year ending December 31, 2023. Companies will need to begin tagging these disclosures in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024.
As a reminder, companies will be required to disclose information regarding their processes to assess, identify, and manage material risks from cybersecurity threats, whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company (and, if so, how), the board of directors’ oversight of risks from cybersecurity threats, and management’s role in assessing and managing the company’s material risks from cybersecurity threats. For more information on these disclosure requirements, please see our Client Alert referenced above.