Securities and Exchange Commission (SEC) rules regarding cyber incident reporting and cybersecurity risk management, strategy, and governance, officially went into effect this week for most public companies. The rules, first approved by the SEC in July, call for (1) real-time disclosure (96 hours) of cybersecurity incidents on Form 8-K or Form 6-K, as applicable, and (2) annual disclosure of an issuer’s cybersecurity risk assessment processes and the respective roles of its board of directors and management in overseeing and managing cybersecurity threats.
Public companies that have less than $100 million in revenue or less than $250 million in public stock shares have until June 15, 2024 when they must begin filing incident reports. Additionally, if public companies believe they have national security concerns about making such disclosures, they may withhold and coordinate with the FBI to discuss their concerns and analyze implications before determining next steps.
In regard to incident reporting, some companies have started to make enhanced disclosures in the past few months. While it is hard to glean any common themes in these filings, it is been apparent that many companies have filed initial 8-Ks, and then followed up later with subsequent filings once they learned more information.
Companies should continue to establish and refine procedures that will make it easier for them to comply with these rules, such as:
- Draft internal guidance for helping stakeholders to both identify 8-K incidents and determine whether they meet the definition of materiality;
- Identify individuals who will be responsible and accountable for ensuring disclosures are made on a timely basis; and
- Establish an escalation process to determine when Board members must be notified of cyber incidents.
- Update procedures for submission of end of year 10-Ks and 20-Fs to account for the new governance disclosures;
- Establish the appropriate level of cybersecurity governance on boards that can provide oversight of cybersecurity programs, and ensure that CISOs have the resources to protect companies from external threats;
- Designate a qualified individual in senior management to be responsible for implementing and overseeing the company’s cybersecurity program; and
- Provide appropriate training for the company’s workforce.