As part of a push to standardize and enhance corporate disclosures, the Securities and Exchange Commission (SEC) has modified its regulations to require public companies to promptly inform the public about material cybersecurity breaches. This regulation, effective as of July 26, 2023, dictates that these disclosures should be made through Form 8-K and detailed data regarding a firm’s cybersecurity risk management and governance should be shared in annual reports via Form 10-K. These directives are part of the newly introduced Item 1.05 of Form 8-K and new Regulation S-K Item 106 included in Form 10-K.
The revisions in the regulations were specifically designed to provide a more standardized framework for disclosures about cybersecurity breaches. The purpose of this uniformity is to offer clearer, more comprehensive information to the public and investors, in particular, about the risks and actual impacts of such breaches.
The implications for public corporations are significant, reinforcing the increasing responsibility these organizations have in managing cybersecurity risks and providing timely, transparent data in the event of attacks. Moreover, the modifications reinforce the priority of cybersecurity in corporate governance. (Patterson Belknap Webb & Tyler LLP)
As cybersecurity continues to rise on the corporate agenda, the legal community will play a vital role in interpreting the implications of these SEC regulations, advising corporations on compliance, and shaping future regulatory landscape.