New rules cover disclosure of cyber incidents on cybersecurity risk management, strategy and governance by public companies
On July 26, 2023, the Securities and Exchange Commission (SEC) adopted the Cybersecurity Reporting Requirements that were proposed in March 2022 to provide transparency and protection to investors. The new regulations will become effective 30 days after publication of the adopting release in the Federal Register and will require public companies to disclose any material cyber security incidents with four business days, as well as annually report cybersecurity risk management, strategy and governance.
Understanding the New Cybersecurity Disclosure Requirements
Beginning the later of 90 days after the publication in the Federal Register or Dec 18, 2023, companies will be required to file new Item 1.05 of Form 8-K to disclose cybersecurity incidents describing the incident’s nature, scope, timing, and impact or likely impact. Item 1.05 of Form 8-K will be due four business days after determination that a cyber security incident is material. Disclosure may be delayed in the event the U.S. Attorney General determines the disclosure would pose a national security or public safety risk and notifies the Commission in writing. Smaller reporting companies will have an additional 180 days to begin providing Form 8-K.
Companies will use the new Regulation S-K Item 106 on Form 10-K to annually disclose your process for assessing, identifying and managing material risk from cybersecurity and the effects of risks from current and previous cybersecurity threats/incidents. According to the SEC, this form should also include a description of “the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” Item 106 on Form 10-K will be due with annual reports for fiscal years ending on or after December 15, 2023.
All companies must tag required disclosures in the final rules in Inline XBRL one year after initial compliance with related disclosure requirements.
Foreign Private Issuers Have Similar Disclosure Requirements
- Material cybersecurity incidents must be reported on Form 6-K due beginning the later of 90 days after publication in the Federal Register or Dec 18, 2023.
- Cybersecurity risk management, strategy and governance must be reported on Form 20-F due with annual reports for fiscal years ending on or after Dec. 15, 2023.
Potential Impact on a Company’s Current Internal Controls
When we talk about the “big 3” – people, process and technology – and when there are changes to any of these, we have to consider the impact on the internal controls at an organization. Where we see one of the biggest potential impacts is going to be in the Committee of Sponsoring Organizations’ (COSO) Principle 7 – Identifies and Analyzes Risks, and how organizations incorporate the universe of company-centric cyber risks into that analysis, and then how they enact a plan to manage and address risks.
The other significant change is in the process and the procedures that a company establishes around the “identification and escalation” of incidents. We anticipate that grassroots training around the identification and subsequently “raising a hand” will be the first step. Then having a succinct policy to report the incident to a committee (like a disclosure committee), meeting on an ad hoc basis, will be crucial.
How We Can Help
Cherry Bekaert’s Information Assurance & Cybersecurity practice can provide guidance as you navigate these disclosure rule requirements. We help you gain a clear understanding of what the new disclosure rules are, what they mean for you and how you can achieve full compliance, while also protecting your company.
Our professionals understand your business and the risks you are facing. Contact us today to learn more about how we can help safeguard your business from cyber incidents.