Representing financial professionals, financial institutions and investors in investment loss, employment and disclosure matters, and in regulatory investigations nationwide.

SEC adopts rules regarding disclosure of cybersecurity incidents

On Behalf of | Aug 21, 2023 | Securities and Compliance

The Securities and Exchange Commission announced that it has adopted rules tightening the requirements for public companies to report cybersecurity incidents, according to JD Supra.

Under the new rules, firms will be required to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its impact on the company. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure can be delayed if the US Attorney General finds that it would pose a substantial risk to national security or public safety.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The rules will also require companies to annually disclose material information regarding their cybersecurity risk management, strategy, and governance. The SEC is adding Regulation S-K Item 106, which will require firms to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the effects of risks from cybersecurity threats and previous cybersecurity incidents.

Item 106 will also require companies to describe their board of directors’ oversight of risks from cybersecurity threats and management’s expertise in managing material risks from cybersecurity threats.

The final rules will become effective 30 days following publication in the Federal Register

The attorneys at Lewitas Hyman include former senior attorneys at the SEC whose legal experience and industry knowledge make them uniquely qualified to provide counsel on securities regulatory, compliance and enforcement matters. Our attorneys fully understand the regulatory scrutiny financial professionals and their firms face from the various regulators that oversee the financial services industry. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655-6002 or through our online contact form.