In July 2023, the SEC adopted new cybersecurity disclosure rules for public companies, which include new 8‑K reporting requirements that are effective beginning December 18, 2023 and new 10‑K or 20‑F annual report disclosure requirements that are due for all fiscal years ending on or after December 15, 2023. Thus, all calendar year companies will have to include the new disclosure in their annual reports.

Under the new rules, a Form 8‑K must be filed within four business days of the company’s determination that it has experienced a material cyber incident. The company must disclose the following information to the extent the information is known at the time of the Form 8‑K filing:

  • When the incident was discovered;
  • Whether the incident is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.

Under the new rule, “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.” Therefore, the timing of 8‑K disclosure will be tricky, since it can be weeks or more for a company to determine whether an incident is material and, if so, how it will impact the company’s results of operations, depending on the nature and scope of the incident, and the industry in question.

For foreign private issuers, Form 6‑K will require companies to furnish information on material cybersecurity incidents that they make, or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.

For annual reports on Form 10‑K, expanded disclosure of cyber incidents will include:

  • companies’ processes for assessing, identifying, and managing material risks from cybersecurity threats;
  • whether any risks from cybersecurity threats, including in the context of any previous cybersecurity incidents, have materially impacted or are reasonably likely to materially impact the company and/or its results of operations; and
  • a description of the directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

Some of the information required by the second bullet above is already required in the MD&A section of the company’s annual or quarterly reports, so consistency with prior reports is something that should be considered. Form 20‑F for foreign private issuers will require similar disclosure.

We recommend that companies consider as soon as possible what kind of disclosure they would like to see in their annual reports, and that any substantive changes in policies are effected before year‑end so that they can be reflected in the new disclosure.

Posted in Public Companies, SEC Enforcement
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Frank Zarb Frank Zarb

Frank Zarb is a partner in our Corporate Department and a member of the Capital Markets Group, where he concentrates his practice on equity finance and a wide range of regulatory matters under U.S. federal securities laws.

He counsels public and private companies…

Frank Zarb is a partner in our Corporate Department and a member of the Capital Markets Group, where he concentrates his practice on equity finance and a wide range of regulatory matters under U.S. federal securities laws.

He counsels public and private companies, hedge funds and family offices, and market intermediaries and other financial institutions on a wide range of transactional and securities regulatory compliance matters including:

  • Equity investments and dispositions in public and private companies
  • Public company registration, disclosures and preparation of periodic reports
  • Tender offers, equity lines, proxy contests, SPACs, and other highly regulated transactions
  • Regulation M, Regulation SHO, Forms 13F and 13H, insider trading and other trading issues
  • Corporate governance and stock exchange listing standards
  • Federal and state proxy requirements as well as shareholder proposals and communications
  • Regulation of financial intermediaries, including trading of public and private equity, and complex and novel trading structures
  • Advocating with the SEC on behalf of a market intermediary related to back-office processing matters.

Frank’s practice is both domestic and international, beginning with his experience in senior positions with the Securities and Exchange Commission. As a member of the staff of the SEC’s Office of International Corporate Finance, Frank advised U.S. companies seeking to do business in the EU, Asia and the Middle East, as well as companies from those regions doing business in the U.S., or otherwise seeking to comply with the U.S. securities laws.  In the Office of Chief Counsel, he focused on federal proxy rules, and supervised a team of staff members that provided guidance in the course of proxy season.

Prior to joining the Firm, Frank was deputy general counsel/chief securities counsel for Bristol Myers Squibb Co. in a new position required by the SEC. Prior to joining Bristol-Myers, Frank was a corporate partner with Morgan, Lewis & Brockius.

Social Responsibility

Frank is a Trustee of the Gerald R. Ford Presidential Foundation, and he provides significant pro bono assistance to non-profit social service institutions in the Washington, D.C. area.

Read more about Frank Zarb
Show more Show less
Photo of Louis Rambo Louis Rambo

Louis Rambo is a partner in the Corporate Department and a member of the Capital Markets Group. He focuses his practice on counseling public companies and their boards of directors on corporate governance, capital markets transactions, mergers and acquisitions, securities regulation, disclosure and…

Louis Rambo is a partner in the Corporate Department and a member of the Capital Markets Group. He focuses his practice on counseling public companies and their boards of directors on corporate governance, capital markets transactions, mergers and acquisitions, securities regulation, disclosure and shareholder activism. Drawing on his previous tenure with the Securities and Exchange Commission in the Division of Corporation Finance, Louis partners with clients on capital raising, including underwritten equity transactions, at-the-market offerings and high-yield and investment grade debt offerings, as well as on structuring M&A transactions, spin-offs, tender offers and going private transactions. He advises public companies on developing governance and disclosure matters, including director independence, compensation, insider trading issues, shareholder proposals and stockholder meetings, and advises on shareholder activism and takeover defense.

Louis also regularly advises hedge funds, private equity funds, family offices, private companies and other financial institutions on a wide range of transactional and securities regulatory compliance matters, including capital raising, PIPEs and secondary transactions, novel and complex beneficial ownership issues arising under the federal securities laws, derivative transactions, insider trading issues and policies and compliance programs.

Louis previously served as an attorney with the SEC in the Division of Corporation Finance. While at the SEC, Louis worked on a number of transactional and securities compliance matters.

Read more about Louis Rambo
Show more Show less
Related Posts
Dos and Don’ts for CCOs: How You Can Avoid Firm and Personal Liability for Wholesale Compliance Failures
October 22, 2025
SEC Releases Unsurprising But Ambitious Spring 2025 Regulatory Agenda
September 5, 2025
SEC v. TZP Management Associates, LLC: Insights Into Private Fund Enforcement Priorities Under Chair Atkins
August 22, 2025