Public companies in the U.S. now must disclose any cybersecurity incidents they have, as well as their cybersecurity risk management plans, under new rules recently adopted by the U.S. Securities and Exchange Commission (SEC). Foreign private issuers are also required to make comparable disclosures under the new rules. 

“Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said in a July 26 news release. "I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”

Under the new rules, registrants must disclose any material cybersecurity incident on the newly introduced Item 1.05 of Form 8-K, the release states. The disclosure should include the nature, scope and timing of the incident, as well as its material impact or potential impact on the registrant. 

The disclosure should generally be submitted within four business days after determining the incident's materiality, but it can be delayed if the U.S. Attorney General deems immediate disclosure poses a substantial risk to national security or public safety, according to the release.

In addition to the incident disclosure, the new rules add Regulation S-K Item 106, which requires registrants to outline their any processes they might have for "assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents," the release states.

Registrants are also required to disclose the board of directors' oversight of cybersecurity risks and management's role and expertise in handling such risks, according to the release.

The newly required disclosures must be included in a registrant's annual report on Form 10-K. Foreign private issuers will also be subject to comparable disclosure requirements for material cybersecurity incidents on Form 6-K and for cybersecurity risk management, strategy, and governance on Form 20-F, the release reported.

The final rules will take effect 30 days after their publication in the Federal Register. For Form 10-K and Form 20-F disclosures, the requirement starts with annual reports for fiscal years ending on or after Dec. 15, the release said. 

For Form 8-K and Form 6-K disclosures, the deadline is the later of 90 days after the publication in the Federal Register or Dec. 18, 2023. Smaller reporting companies have an additional 180 days to comply with the Form 8-K disclosure. All registrants must also tag the required disclosures in Inline XBRL one year after the initial compliance with the related disclosure requirement, according to the release.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler said in the release.