Checklist: How to Comply With the New SEC Cybersecurity Disclosure Requirements


July.31.2023

The SEC has finalized rules requiring public companies to disclose information about cybersecurity incidents, risk management, strategy, and governance. See below for a brief summary of new disclosure obligations, disclosure locations, and compliance dates to be considered and addressed as part of an already thorough disclosure review and form check process.

New Disclosure for Domestic Public Companies Disclosure Location(s) Compliance Date(s)
Current Cybersecurity Incident Reporting
 

☐ Disclose Material Cybersecurity Incidents

Source: New Item 1.05 of Form 8-K and new Item 106 of Regulation S-K.

Requirements: Within four (4) business days of determining a cybersecurity incident (as defined by Item 106(a)) is material, describe:

  • the nature, scope, and timing of the incident.
  • the impact or reasonably likely impact on the registrant, including its financial condition and results of operations.
  • If any of the above information cannot be determined or is not available at the time of the filing, a statement to that effect.

Note: Materiality determinations must be made without unreasonable delay after discovery of the incident per Instruction 1 to Item 1.05.

Disclosures must be tagged in Inline XBRL beginning one year after

initial compliance with the related disclosure requirement.
Form 8-K, Item 1.05. Material Cybersecurity Incidents
December 18, 2023, or 90 days after the rules are posted to the Federal Register, whichever is later (for smaller reporting companies: June 15, 2024, or 270 days after the rules are posted to the Federal Register, whichever is later).

Disclose Information that was Originally Unavailable

Source: New Item 1.05 of Form 8-K.

Requirements: If information was omitted from the original Form 8-K filing, within four (4) business days after such information is determined or becomes available:

  • File an amendment to the original Form 8-K filing under Item 1.05 containing such information.

Note: An amendment should also be filed to rectify any prior disclosure that is found to have been untrue (or omitted information that made the disclosure misleading) at the time it was made.

Disclosures must be tagged in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Form 8-K/A, Item 1.05. Material Cybersecurity Incidents
Same as immediately above.
Annual Cybersecurity Governance Disclosure

 Disclose Cybersecurity Risk Management and Strategy

Source: New Item 106(b)(1) of Regulation S-K.

Requirements: Disclose processes, if any, for assessment, identification and management of material risks from cybersecurity threats (as defined by Item 106(a)), including, as applicable, whether the registrant (and descriptions if so):

  • Has integrated such processes into its overall risk management system or process.
  • Engages assessors, consultants, auditors, or other third parties in connection with such processes.
  • Has processes for overseeing and identifying cybersecurity threats associated with its use of third-party service providers.

Note: The disclosure is not expected to provide a level of detail that could increase a company’s vulnerability to cyberattack. Instead, it should enable investors to assess a registrant’s cybersecurity practices, including the existence of a risk assessment program, with enough information to understand the registrant’s cybersecurity risk profile.

Disclosures must be tagged in Inline XBRL beginning one year after

initial compliance with the related disclosure requirement.

Form 10-K, Part I, Item 1.C. Cybersecurity.

Include in the 10-K covering the first full fiscal year ending on or after December 15, 2023.

 Disclose Identified Risks

Source: New Item 106(b)(2) of Regulation S-K.

Requirements: Describe whether any cybersecurity risks have, or are likely to, materially affect the company, including its business strategy, results of operations, or financial condition, and if so, explain how.

Note: Ensure consistency between any such disclosures and the corresponding risk factor disclosures. Alternatively, if the corresponding risk factor disclosures address these requirements, consider incorporating them by reference.

Disclosures must be tagged in Inline XBRL beginning one year after

initial compliance with the related disclosure requirement.

Form 10-K, Part I, Item 1.C. Cybersecurity.

Same as immediately above.

 Disclose Board Oversight of Cybersecurity Risks

Source: New Item 106(c)(1) of Regulation S-K.

Requirements: Disclose the board’s oversight of cybersecurity risk, including, as applicable:

  • Any board committee or subcommittee that oversees cybersecurity related risks.
  • The processes by which the board or such committee is informed of these risks.

Disclosures must be tagged in Inline XBRL beginning one year after

initial compliance with the related disclosure requirement.

Form 10-K, Part I, Item 1.C. Cybersecurity.

Same as immediately above.

 Disclose Management’s Role in Managing Material Cybersecurity Risks

Source: New Item 106(c)(2) of Regulation S-K.

Requirements: Disclose management’s role in assessing and managing material cybersecurity risks, including, as applicable:

  • Whether and which positions or committees are responsible for assessing and managing cybersecurity risk.
  • A full description of the relevant expertise of such persons.
  • The processes by which such persons or committees are informed of and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
  • Whether such persons or committees report information about such risks to the board or a committee of the board.

Note: Relevant expertise may include prior work experience; any relevant degree or certification; and any knowledge, skills or other background.

Disclosures must be tagged in Inline XBRL beginning one year after

initial compliance with the related disclosure requirement.

Form 10-K, Part I, Item 1.C. Cybersecurity.

Same as immediately above.
New Disclosure for Foreign Private Issuers Disclosure Location(s) Compliance Date(s)

Furnish Information on Material Cybersecurity Incidents

Source: Amended General Instruction B of Form 6-K.

Requirements: Furnish information to the SEC regarding material cybersecurity incidents pursuant to the usual Form 6-K procedures.

Disclosures must be tagged in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Form 6-K December 18, 2023, or 90 days after the rules are posted to the Federal Register, whichever is later (for smaller reporting companies: June 15, 2024, or 270 days after the rules are posted to the Federal Register, whichever is later).

Disclose Cybersecurity Risk Management and Strategy

 Disclose Identified Risks

 Disclose Board Oversight of Cybersecurity Risks

 Disclose Management’s Role in Managing Material Cybersecurity Risks

Source: New Item 16K of Form 20-F.

Requirements: For a summary of requirements, refer to the respective disclosure section for domestic public companies above. These disclosure requirements apply only to annual reports, and not to registration statements on Form 20-F.

Note: Board of directors means a supervisory or non-management board, board of auditors, or statutory auditors, as applicable.

Disclosures must be tagged in Inline XBRL beginning one year after

initial compliance with the related disclosure requirement.
Annual Reports on Form 20-F, Item 16K. Cybersecurity.
Include in the Annual Report on Form 20-F covering the first full fiscal year ending on or after December 15, 2023.