Skip to main content
Home Insights Tech Talk SEC’s New Cyber Incident Disclosure Requirements Will Go Into Effect in December
  • Data Privacy & Security
  • July 27, 2023

SEC’s New Cyber Incident Disclosure Requirements Will Go Into Effect in December

Kelly Ruane Melchiondo

Photo illustrating a cyber attackCome December 2023, public companies will have a very narrow window to report cybersecurity incidents that materially affect their companies. Companies will also have to report annually how they assess and manage cybersecurity threats at the Board and management levels. 

The Securities and Exchange Commission (SEC) voted on Wednesday, July 26, 2023, 3-2 along party lines, to adopt rules that require registrants to disclose on a new Item 1.05 of Form 8-K any “material” cybersecurity incidents, within four days after registrants determine any such incident to be material. Registrants must also disclose the nature, scope and timing of the incident, and its material or reasonably likely material impact on the registrant. Foreign private issuers must file Form 6-K to report material cybersecurity incidents.

The new four-day disclosure period may only be delayed if the United States Attorney General—not the registrant—believes that immediate disclosure would pose a substantial risk to national security or public safety. 

In addition to ad hoc disclosures of material incidents, starting in December, public companies will now also have to include yearly information on their 10-K annual reports about the processes by which they assess, identify and manage material risks from cybersecurity threats. Registrants’ yearly disclosures must also include the material, or reasonably likely material, effects that cybersecurity threats and incidents pose for those registrants. In their 10-K filings, registrants must also describe their board’s oversight of risks from cybersecurity threats, and their management’s role and expertise in assessing and managing material risks from cyber threats. Foreign private issuers must file Form 20-F to report annually their cybersecurity risk governance and management. 

The SEC touted the rules as beneficial for investors, companies and the market. Not everyone agrees. Business leaders and cybersecurity professionals alike are sounding the alarm over the four-day mandatory public disclosure period. Disclosure to the SEC within four days of determining “materiality” of a breach could tip off bad actors to vulnerable systems before those companies have the chance to fully address or patch the vulnerabilities. Worse yet, public disclosure to a bad actor otherwise unaware that it has been exposed may prompt the bad actor to take further catastrophic action to damage or destroy the company’s systems. 

While we wait to see whether the rules will bring about these doomsday scenarios, here are the deadlines that public companies must watch out for:

Form 10-K and 20-F annual disclosures will be due beginning with the companies’ annual reports for fiscal years ending on or after December 15, 2023. 

Form 8-K and 6-K disclosures will be due beginning the later of 90 days after the date of publication of the SEC’s adopting release in the Federal Register, or December 18, 2023. 

To download a PDF copy of the blog, click here.

Related Practices
Data Privacy & Security
YOU MIGHT ALSO LIKE
Speaking Engagement September 27, 2024
U.S. Transparency Improvements
Paul D'Alessandro, Jr. serves as a speaker at the STEP LATAM Conference in Buenos Aires, Argentina. Paul's presentation - U.S. Transparency Improvements - is an overview of recent U.S. transparency developments including the practical application of the reporting requirements imposed by the Corporat...
Press Release July 23, 2024
Bilzin Sumberg Named to Bloomberg Law’s Diversity, Equity, and Inclusion Framewo...
Bilzin Sumberg is proud to announce that it has been named to Bloomberg Law’s fourth annual Diversity, Equity, and Inclusion (DEI) Framework. Bilzin Sumberg is one of only 57 U.S.-Based Firms that were included in the 2024 Framework.
Press Release July 23, 2024
John Trach Appointed Deputy Chair of Bilzin Sumberg Cares Program
Bilzin Sumberg is pleased to announce the appointment of John Trach as Deputy Chair of the Bilzin Sumberg Cares Program.John will work alongside Program Chair Lori Lustrin to further strengthen the firm's commitment to community service and philanthropic initiatives.
VIEW MORE