Come December 2023, public companies will have a very narrow window to report cybersecurity incidents that materially affect their companies. Companies will also have to report annually how they assess and manage cybersecurity threats at the Board and management levels.
The Securities and Exchange Commission (SEC) voted on Wednesday, July 26, 2023, 3-2 along party lines, to adopt rules that require registrants to disclose on a new Item 1.05 of Form 8-K any “material” cybersecurity incidents, within four days after registrants determine any such incident to be material. Registrants must also disclose the nature, scope and timing of the incident, and its material or reasonably likely material impact on the registrant. Foreign private issuers must file Form 6-K to report material cybersecurity incidents.
The new four-day disclosure period may only be delayed if the United States Attorney General—not the registrant—believes that immediate disclosure would pose a substantial risk to national security or public safety.
In addition to ad hoc disclosures of material incidents, starting in December, public companies will now also have to include yearly information on their 10-K annual reports about the processes by which they assess, identify and manage material risks from cybersecurity threats. Registrants’ yearly disclosures must also include the material, or reasonably likely material, effects that cybersecurity threats and incidents pose for those registrants. In their 10-K filings, registrants must also describe their board’s oversight of risks from cybersecurity threats, and their management’s role and expertise in assessing and managing material risks from cyber threats. Foreign private issuers must file Form 20-F to report annually their cybersecurity risk governance and management.
The SEC touted the rules as beneficial for investors, companies and the market. Not everyone agrees. Business leaders and cybersecurity professionals alike are sounding the alarm over the four-day mandatory public disclosure period. Disclosure to the SEC within four days of determining “materiality” of a breach could tip off bad actors to vulnerable systems before those companies have the chance to fully address or patch the vulnerabilities. Worse yet, public disclosure to a bad actor otherwise unaware that it has been exposed may prompt the bad actor to take further catastrophic action to damage or destroy the company’s systems.
While we wait to see whether the rules will bring about these doomsday scenarios, here are the deadlines that public companies must watch out for:
Form 10-K and 20-F annual disclosures will be due beginning with the companies’ annual reports for fiscal years ending on or after December 15, 2023.
Form 8-K and 6-K disclosures will be due beginning the later of 90 days after the date of publication of the SEC’s adopting release in the Federal Register, or December 18, 2023.
