New SEC Cybersecurity Rules Are Here: What Should Companies Be Doing to Comply?

AGG has created a working group comprised of its Data Privacy & Cybersecurity, Corporate Governance, and Securities teams to help our clients prepare disclosures and comply with the Securities and Exchange Commission’s (“SEC”) new cybersecurity rules. AGG Data Privacy & Cybersecurity practice co-chairs Jacqueline Cooney and Kevin Coy, along with AGG Corporate Governance and Securities partners Joe Alley, Leah Braukman, and Brian Teras, have been working with clients to develop practical strategies for managing these requirements. See our quick overview of the new rule below and contact Jacqueline, Kevin, Joe, Leah, or Brian for more information.

SEC Cybersecurity Rule Fact Sheet

What Is the New Rule?

In late July 2023, the SEC adopted new rules that will require publicly traded companies to:

1. disclose cybersecurity incidents within four business days of determining the incident is material; and
2. annually disclose information regarding cybersecurity risk management, strategy, and governance.

How Is This Different From the Previous Rules?

The rules expand on the SEC’s previously issued interpretive guidance from 2011 and 2018, in which the SEC expressed its view that existing disclosure obligations apply to cybersecurity risks and incidents. In the press release accompanying the SEC’s adoption of the new rules, SEC Chair Gary Gensler indicated that the purpose of the new rules is to provide transparency around companies’ cybersecurity measures. Gensler said that disclosures should be made “in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

What Are the New Disclosure Requirements?

Form 8-K – Cybersecurity Incident Disclosure: The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material, within four business days after determining the incident is material.

• Compliance Deadline: Registrants must begin complying with this incident disclosure requirement starting on December 18, 2023. Smaller reporting companies will have until June 15, 2024 — an additional 180 days — before they must begin filing the new Form 8-K disclosure.

Form 10-K – Cybersecurity Governance Disclosure: The new rules will also require registrants to describe annually on Form 10-K, their processes for assessing, identifying, and managing material risks from cybersecurity threats and previous cybersecurity incidents, as well as the board of directors’ oversight of cybersecurity risk and management’s role in assessing and managing material risks from cybersecurity threats.

• Compliance Deadline: The new Form 10-K disclosures will be required beginning with annual reports for fiscal years ending on or after December 15, 2023. Therefore, calendar-year companies must comply with the new rules in their annual reports for the fiscal year ended December 31, 2023, to be filed in the first quarter of 2024. All companies, including smaller reporting companies and emerging growth companies, must begin complying at this time.