The SEC Cyber Disclosure Rules, adopted in July 2023, establish formal requirements for publicly traded companies to disclose material cybersecurity incidents and outline their cybersecurity risk management strategies. These rules amend Regulation S-K and Form 8-K, aiming to improve transparency for investors regarding cyber risks and breaches.
Public companies must report material cybersecurity incidents within four business days of determining materiality, through a new Item 1.05 in Form 8-K. The rules also introduce Regulation S-K Item 106, which mandates disclosures in annual filings about the company's cybersecurity governance, risk management, and board oversight. Foreign private issuers are subject to parallel updates under Form 6-K and Form 20-F.
These rules apply to all
publicly listed companies, including
foreign private issuers, across industries such as
finance, technology, healthcare, energy, and
retail. Companies must implement comprehensive cybersecurity incident detection and reporting frameworks, including
enhanced due diligence processes to assess vendor risks, monitor third-party access, and evaluate potential cybersecurity vulnerabilities that could impact material business operations and investor interests.
