This article was written by Chad V. Scott, Consulting Manager at the Bonadio Group.
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted rules regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. The SEC has developed these rules to require registrants to disclose all material cybersecurity incidents on the new Item 1.05 of Form 8-K. Additionally, the Form 8-K will need to provide details regarding the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. These filings would be required within four (4) days of a material cybersecurity incident.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats will also be required under Item 106. These disclosures will be required in the registrant’s annual report on Form 10-K.
The new SEC disclosures are expected to be effective as follows:
- The Form 8-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller Reporting Companies will have an additional 180 days before they must begin providing the Form 8-K disclosures.
- The Form 10-K disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
Why is the New SEC Rules Important to Smaller Reporting Companies?
Beginning no later than June 15, 2024, Smaller Reporting Companies will need to have a clear process in place to assess the materiality of cybersecurity incidents and have the capabilities of reporting accurately regarding a material event within four days of that determination.
Beginning with Form 10-Ks as of December 31, 2023, and forward, Smaller Reporting Companies will need to have clear processes that can be disclosed regarding assessing, identifying, and managing material risks from cybersecurity incidents. Further, disclosures will need to require information regarding the board of directors’ oversight of this risk of cybersecurity threats and management role and expertise in assessing and managing these risks.
Smaller Reporting Companies’ board of directors and senior management should begin acting now to assess whether they are comfortable disclosing current practices and what needs to be done to close any expectation-reality gaps prior to the disclosure requirements.
Why is the New SEC Disclosure Important to All Companies?
Environmental, Social, and Governance (ESG) reporting is very much a work in process and the developing framework projects in Europe may seem very distant from companies operating in the United States. However, while this large project is significantly underway in Europe, rules such as these Cybersecurity rules are the ways that we will see ESG reporting seep into SEC reporting and potentially highly regulated industries such as financial institutions.
If you need further guidance or have any questions, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.