Accounting Research Tool

SEC Issues New Requirements for Cybersecurity Disclosures (July 30, 2023)

Heads Up | Volume 30, Issue 13
July 30, 2023
Image cannot be displayed

SEC Issues New Requirements for Cybersecurity Disclosures


SEC Final Rule Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
CF Disclosure Guidance Topic No. 2, “Cybersecurity,” and SEC Interpretive Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.
The SEC also issued an investigative report on October 16, 2018, in which it cautioned companies to consider cybersecurity threats when they are implementing their internal accounting controls. See Deloitte’s October 30, 2018, Heads Up for more information.
The final rule amends Forms 20-F and 6-K to require FPIs to provide disclosures that are generally consistent with those discussed herein for domestic registrants. Specifically, FPIs must disclose in their annual Form 20-F the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. The final rule also requires FPIs to furnish on Form 6-K information on material cybersecurity incidents that they disclose or publicize in a foreign jurisdiction to any stock exchange or security holders.
SEC Proposed Rule Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
Note that the final rule’s inclusion of “financial condition and results of operations” is not exclusive, and companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident.
The final rule notes that “[t]he delay provision for substantial risk to national security or public safety is separate from Exchange Act Rule 0-6, which provides for the omission of information that has been classified by an appropriate department or agency of the Federal government for the protection of the interest of national defense or foreign policy. If the information a registrant would otherwise disclose on an Item 1.05 Form 8-K or pursuant to Item 106 of Regulation S-K or Item 16K of Form 20-F is classified, the registrant should comply with Exchange Act Rule 0-6.”
Adoption dates applicable to FPIs for disclosures in Form 6-K are consistent with Form 8-K, Item 1.05, and disclosures in Form 20-F are consistent with Item 106.
SEC Proposed Rule Release No. 33-11028, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.