On July 2023, the Securities and Exchange Commission (SEC) implemented a final rule mandating public companies to furnish comprehensive and uniform disclosures pertaining to cybersecurity risk management, strategy, governance, and incidents. We’re going to discuss SEC Cybersecurity Disclosure Rules and What You Need to Know.



cis benchmark hardening

What is Form 8K?


SEC Form 8-K is a current report that public companies must file with SEC to announce major events that shareholders should know about. It is used to satisfy a registrant's filing obligations pursuant to Rule 425 under the Securities Act, regarding written communications related to business combination transactions, or Rules 14a-12(b) or Rule 14d-2(b) under the Exchange Act, relating to soliciting materials and pre-commencement communications pursuant to tender offer.


NEW Rule requirement:

The new rules will require registrants to disclose on the new Item 1.05 titled 'Material Cybersecurity Incidents' on Form 8-K any cybersecurity incident that they deem to possess material significance. This disclosure must encompass a comprehensive account of the incident's fundamental characteristics, encompassing its nature, extent, chronology, and the material repercussions or reasonably probable material repercussions it may impart upon the registrant.


What is Regulation SK?


SEC Regulation S-K is a regulation that outlines how registrants should disclose material qualitative descriptors of their business on registration statements, periodic reports, and any other filings. It is a part of the Code of Federal Regulations (CFR).


NEW Rule requirement:

The new regulation also includes Regulation S-K Item 106 that mandates public companies to furnish comprehensive and uniform disclosures pertaining to their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. These disclosures will be required in a registrant’s annual report on Form 10-K.


server hardening project

What is Form 10K?


SEC Form 10-K is an annual report that publicly traded companies in the United States are required to file with SEC. It provides a comprehensive summary of a company’s financial performance and includes detailed information about its business operations, risks, and management.


Key components of a Form 10-K typically include:


  • Financial Statements
  • Management’s Discussion and Analysis (MD&A)
  • Business Description
  • Risk Factors
  • Corporate Governance
  • Legal Proceedings
  • Market Price of and Dividends on the Registrant's Common Equity and Related Stockholder Matters


What is Form 6K?


SEC Form 6-K is a report foreign private issuers file when they have significant information to disclose that isn’t covered in their regular reports. While less detailed than annual or quarterly reports, Form 6-K is crucial for providing investors with current and pertinent data about foreign issuers listed on U.S. exchanges.


NEW Rule requirement:

The new rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents.


What is Form 20F?


SEC Form 20-F is an annual report filing for non-U.S. and non-Canadian companies that have securities trading in the U.S. It helps standardize the reporting requirements of foreign companies and provides investors with information about the company's financial performance, management, and governance. The form requires companies to disclose information such as their business operations, risk factors, financial statements, and executive compensation.


NEW Rule requirement:

The new rules require comparable disclosures by foreign private issuers on Form 20-F for cybersecurity risk management, strategy, and governance.


SEC Cybersecurity Disclosure Rules take effect?


SEC has stated the SEC Cybersecurity Disclosure Rules


"will become effective 30 days following publication of the adopting release in the Federal Register. With respect to Regulation S-K Item 106 and the comparable requirements in Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Form 8-K Item 1.05 and in Form 6- K, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement."


request demo


You might be interested