The Securities and Exchange Commission (SEC) has recently adopted new rules to enhance disclosures regarding cybersecurity risk management, strategy, and governance, and to amplify the transparency of cybersecurity incidents within the business landscape. These rules are aimed at benefiting investors, companies, and the broader market by ensuring more consistent and comprehensive cybersecurity disclosures.

In a discussion with Nelly Spieler of Frank Rimerman +Co., three pivotal elements of the regulation were highlighted:

• Firstly, companies must have cybersecurity expertise on their board.
• Secondly, businesses are now required to periodically report their cybersecurity risk management programs. “Annually, within the 10-K, there is a section where companies need to discuss their management program for cybersecurity,” noted Spieler.
• The third key element is that businesses must report material cybersecurity incidents. As Spieler emphasizes, “Materiality is anything that may affect an investor’s decision to invest or divest.”

In response to this new rule, companies are encouraged to identify data stores, reevaluate data classification and to review the data inventory for the purposes of reducing the potential of a material data breach:

• Is the data required to be managed and maintained? If not, companies may want to consider deletion.
• Data categorized as material should be masked or encrypted
• Companies should have a regularly followed process for data classification, including production and back up data sources

In addition, companies should take the step of evaluating their incident response plans and ensure that the new reporting requirements are taken into consideration in their plans.

The SEC, in its press release, further elaborates on the nature of these disclosures. As stated by SEC Chair Gary Gensler, the objective is to make cybersecurity disclosure more “consistent, comparable, and decision-useful” for investors. According to the new rules, companies have to disclose any cybersecurity incident deemed material via Item 1.05 of Form 8-K. This is generally due four business days after identifying the materiality of an incident. There’s a provision for delay in such instances where immediate disclosure might jeopardize national security or public safety.

Moreover, with the addition of Regulation S-K Item 106, companies must describe their strategies and governance regarding cybersecurity. This includes board oversight, management roles, and their expertise in identifying and managing risks. This data will be integral to a company’s annual report on Form 10-K.

Foreign private issuers aren’t left out either. Comparable disclosure requirements are expected of them on Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management.

It is crucial to note that these regulations will be effective 30 days post-publication in the Federal Register, with specific forms having their respective due dates. For instance, Form 10-K and Form 20-F disclosures will begin for fiscal reports ending on or after December 15, 2023.

For smaller reporting entities, there’s an additional 180-day grace period for the Form 8-K disclosure. Furthermore, tagging of these disclosures in Inline XBRL will begin a year after the initial compliance.

In conclusion, as businesses and investors navigate these new regulations, ensuring clarity, consistency, and transparency in cybersecurity disclosures is paramount for investor trust and market stability.