In July 2023, the SEC adopted new cybersecurity disclosure rules for public companies, which include new 8‑K reporting requirements that are effective beginning December 18, 2023 and new 10‑K or 20‑F annual report disclosure requirements that are due for all fiscal years ending on or after December 15, 2023. Thus, all calendar year companies will have to include the new disclosure in their annual reports.

Under the new rules, a Form 8‑K must be filed within four business days of the company’s determination that it has experienced a material cyber incident. The company must disclose the following information to the extent the information is known at the time of the Form 8‑K filing:

  • When the incident was discovered;
  • Whether the incident is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.

Under the new rule, “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.” Therefore, the timing of 8‑K disclosure will be tricky, since it can be weeks or more for a company to determine whether an incident is material and, if so, how it will impact the company’s results of operations, depending on the nature and scope of the incident, and the industry in question.

For foreign private issuers, Form 6‑K will require companies to furnish information on material cybersecurity incidents that they make, or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.

For annual reports on Form 10‑K, expanded disclosure of cyber incidents will include:

  • companies’ processes for assessing, identifying, and managing material risks from cybersecurity threats;
  • whether any risks from cybersecurity threats, including in the context of any previous cybersecurity incidents, have materially impacted or are reasonably likely to materially impact the company and/or its results of operations; and
  • a description of the directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

Some of the information required by the second bullet above is already required in the MD&A section of the company’s annual or quarterly reports, so consistency with prior reports is something that should be considered. Form 20‑F for foreign private issuers will require similar disclosure.

We recommend that companies consider as soon as possible what kind of disclosure they would like to see in their annual reports, and that any substantive changes in policies are effected before year‑end so that they can be reflected in the new disclosure.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Frank Zarb Frank Zarb

Frank Zarb is a partner in our Corporate Department and a member of the Capital Markets Group, where he concentrates his practice on equity finance and a wide range of regulatory matters under U.S. federal securities laws.

He counsels public and private companies…

Frank Zarb is a partner in our Corporate Department and a member of the Capital Markets Group, where he concentrates his practice on equity finance and a wide range of regulatory matters under U.S. federal securities laws.

He counsels public and private companies, hedge funds and family offices, and market intermediaries and other financial institutions on a wide range of transactional and securities regulatory compliance matters including:

  • Equity investments and dispositions in public and private companies
  • Public company registration, disclosures and preparation of periodic reports
  • Tender offers, equity lines, proxy contests, SPACs, and other highly regulated transactions
  • Regulation M, Regulation SHO, Forms 13F and 13H, insider trading and other trading issues
  • Corporate governance and stock exchange listing standards
  • Federal and state proxy requirements as well as shareholder proposals and communications
  • Regulation of financial intermediaries, including trading of public and private equity, and complex and novel trading structures
  • Advocating with the SEC on behalf of a market intermediary related to back-office processing matters.

Frank’s practice is both domestic and international, beginning with his experience in senior positions with the Securities and Exchange Commission. As a member of the staff of the SEC’s Office of International Corporate Finance, Frank advised U.S. companies seeking to do business in the EU, Asia and the Middle East, as well as companies from those regions doing business in the U.S., or otherwise seeking to comply with the U.S. securities laws.  In the Office of Chief Counsel, he focused on federal proxy rules, and supervised a team of staff members that provided guidance in the course of proxy season.

Prior to joining the Firm, Frank was deputy general counsel/chief securities counsel for Bristol Myers Squibb Co. in a new position required by the SEC. Prior to joining Bristol-Myers, Frank was a corporate partner with Morgan, Lewis & Brockius.

Social Responsibility

Frank is a Trustee of the Gerald R. Ford Presidential Foundation, and he provides significant pro bono assistance to non-profit social service institutions in the Washington, D.C. area.

Photo of Louis Rambo Louis Rambo

Louis Rambo is a partner in the Corporate Department and a member of the Capital Markets Group. He focuses his practice on counseling public companies and their boards of directors on corporate governance, capital markets transactions, mergers and acquisitions, securities regulation, disclosure and…

Louis Rambo is a partner in the Corporate Department and a member of the Capital Markets Group. He focuses his practice on counseling public companies and their boards of directors on corporate governance, capital markets transactions, mergers and acquisitions, securities regulation, disclosure and shareholder activism. Prior to joining the Firm, Louis served as an attorney in the Division of Corporation Finance with the Securities and Exchange Commission.