SEC Proposes New Rules to Address Cybersecurity Risk

Public entities have become increasingly reliant on technologies, which is increasing their risk of a financially material cybersecurity incident. We’ve also seen an uptick in the frequency and severity of these cyberattacks year over year.

In response, the Securities and Exchange Commission (“SEC”) has introduced regulations to increase the transparency of public entities and foreign private issuers (“FPIs”), as well as to encourage the development of improved cybersecurity standards.

The Basics of SEC Cybersecurity Rule 10

In July, the SEC adopted new guidelines under Rule 10 that would require SEC Registrants (public companies) to perform two key actions:

• The timely public disclosure of cybersecurity incidents, and
• The annual release of cybersecurity policies.

These new requirements are achieved through updates to Form 8-K, Form 6-K, Form 20-F and Regulation S-K Item 106. The new requirements come on the heels of a rapidly changing cybersecurity landscape and increasing financial cost of cyberattacks.

The following information is taken from the SEC’s Final Rule 10 Documentation & Rule 10 Fact Sheet and official press release.

For annual reports of fiscal years ending on or after December 15, 2023, the changes outlined in Regulation S-K Item 106 and Form 20-F must be implemented. These are as follows:

• Registrants must detail their current processes in place used to identify, mitigate and respond to material cybersecurity incidents. Additionally, registrants must describe whether cybersecurity risks have, or are likely to have, a material impact on their organization.
• Registrants and FPIs must provide information on their board of directors’ oversight of cybersecurity threats and management’s role in mitigating the associated material risks.

Compliance with the below incident disclosure requirements contained in updated Forms 6-K, 20-F and 8-K (Item 1.05) must begin on December 18, 2023.

• In the event of a material cybersecurity incident, registrants must publicly disclose the following within four business days:
  • Nature, scope and timing of the incident; and
  • Impact (or suspected impact) of the incident.
• For FPIs, information on any material cybersecurity incident that is required to be reported to a foreign jurisdiction must also be provided to the SEC via Form 6-K.

While the SEC requires all registrants to follow the ruleset above, the commission affords extensions under certain circumstances, including:

• The controversial four-day disclosure window could be extended up to 60 days if the cybersecurity breach poses a national security or public safety risk.
• Due to the challenges smaller entities may face in meeting the requirements of SEC’s Rule 10, small entities have an additional 180 days (until June 15, 2024) to develop public disclosure procedures.

Potential Challenges of SEC’s Rule 10

Registrants required to adopt the SEC’s Rule 10 must expand their cybersecurity practices to provide their organization with cyber risk assessments, policies and public disclosure procedures. Organizations struggling to adapt should consider seeking outsourced consultants who can provide guidance and assistance during this transitory period.

Implementing SEC-compliant cybersecurity practices increases organizations' transparency to stakeholders, improves their ability to respond to incidents and keeps organizations ahead of the evolving cybersecurity landscape.