Skip to main content
Home Insights Tech Talk SEC’s New Cyber Incident Disclosure Requirements Will Go Into Effect in December
  • Data Privacy & Security
  • July 27, 2023

SEC’s New Cyber Incident Disclosure Requirements Will Go Into Effect in December

Kelly Ruane Melchiondo

Photo illustrating a cyber attackCome December 2023, public companies will have a very narrow window to report cybersecurity incidents that materially affect their companies. Companies will also have to report annually how they assess and manage cybersecurity threats at the Board and management levels. 

The Securities and Exchange Commission (SEC) voted on Wednesday, July 26, 2023, 3-2 along party lines, to adopt rules that require registrants to disclose on a new Item 1.05 of Form 8-K any “material” cybersecurity incidents, within four days after registrants determine any such incident to be material. Registrants must also disclose the nature, scope and timing of the incident, and its material or reasonably likely material impact on the registrant. Foreign private issuers must file Form 6-K to report material cybersecurity incidents.

The new four-day disclosure period may only be delayed if the United States Attorney General—not the registrant—believes that immediate disclosure would pose a substantial risk to national security or public safety. 

In addition to ad hoc disclosures of material incidents, starting in December, public companies will now also have to include yearly information on their 10-K annual reports about the processes by which they assess, identify and manage material risks from cybersecurity threats. Registrants’ yearly disclosures must also include the material, or reasonably likely material, effects that cybersecurity threats and incidents pose for those registrants. In their 10-K filings, registrants must also describe their board’s oversight of risks from cybersecurity threats, and their management’s role and expertise in assessing and managing material risks from cyber threats. Foreign private issuers must file Form 20-F to report annually their cybersecurity risk governance and management. 

The SEC touted the rules as beneficial for investors, companies and the market. Not everyone agrees. Business leaders and cybersecurity professionals alike are sounding the alarm over the four-day mandatory public disclosure period. Disclosure to the SEC within four days of determining “materiality” of a breach could tip off bad actors to vulnerable systems before those companies have the chance to fully address or patch the vulnerabilities. Worse yet, public disclosure to a bad actor otherwise unaware that it has been exposed may prompt the bad actor to take further catastrophic action to damage or destroy the company’s systems. 

While we wait to see whether the rules will bring about these doomsday scenarios, here are the deadlines that public companies must watch out for:

Form 10-K and 20-F annual disclosures will be due beginning with the companies’ annual reports for fiscal years ending on or after December 15, 2023. 

Form 8-K and 6-K disclosures will be due beginning the later of 90 days after the date of publication of the SEC’s adopting release in the Federal Register, or December 18, 2023. 

To download a PDF copy of the blog, click here.

Related Practices
Data Privacy & Security
YOU MIGHT ALSO LIKE
Speaking Engagement March 20, 2025
Concierge Healthcare for Global Families
Alex Denault serves as a speaker for the STEP Miami webinar entitled “Concierge Healthcare for Global Families,” where he discusses the legal and tax issues for global families in planning for their healthcare needs.
News March, 17, 2025
Bilzin Sumberg and United Way Dedicate Day of Service to Children’s Home Societ...
On March 8, in connection with its Bilzin Sumberg Cares community involvement program, Bilzin Sumberg partnered with United Way Miami to support the Children’s Home Society of Florida (CHS) in the enhancement and beautification of its affiliated facility in South Miami.
Development Conference May 15, 2025
6th Annual Bilzin Sumberg Development Conference
The exclusive conference will highlight emerging real estate investment and development trends in South Florida. This year’s panels will delve into the rapidly evolving landscape of condominium redevelopment, critical considerations for mitigating environmental risk in new developments, expand...
VIEW MORE