By Tony Foley
New rules governing cybersecurity risk management, strategy, governance and incident disclosure that were adopted by the SEC last month were published in the Federal Register on Friday, meaning that they will become effective somewhat sooner than expected.
The rules, approved by a 3-2 vote of the SEC commissioners at their July 26, 2023 open meeting, require registrants to disclose material cybersecurity incidents on Form 8-K Item 1.05, generally within four business days of the registrant’s determination that an incident is material.
According to the Federal Register release, the final rules will be effective on September 5, 2023, 30 days after their publication in the Register. Specifically, the rules provide that new disclosures required by Item 106 of Regulation S-K and Item 16K of Form 20-F must be provided by affected registrants beginning with annual reports for fiscal years ending on or after December 15, 2023. Compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K must begin on December 18, 2023 for all registrants except smaller reporting companies. Smaller reporting companies have been given an additional 180 days to comply with Item 1.05 of Form 8-K, to June 15, 2024.
With respect to structured data requirements, all registrants must tag disclosures under the final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the disclosure requirement at issue. Thus, such tagging must be in place by December 15, 2024 for disclosures required by Item 106 of Regulation S-K and Item 16K of Form 20-F, and on December 18, 2024 for disclosures required by Item 1.05 of Form 8-K and in Form 6-K.