BlogCybersecurity Risk & StrategySecurity Transformation
Blog5 minute read

SEC Cybersecurity Disclosures Cheat Sheet for Public Companies

As cybersecurity risks increase, so do the costs to companies and investors. With new disclosure rules provided by the SEC in the United States, this cheat sheet will help make sense of what they mean for public companies.

In this blog

Between 2011 and 2017 the SEC began to issue guidance on cyber disclosure, emphasizing material cybersecurity risks, specifically encouraging companies to consider disclosing cybersecurity risk management practices.

In 2018, the SEC started to hold public hearings on potential cybersecurity disclosure requirements with an increased focus on introducing legislation and disclosure rules. 

After first proposing disclosure rules in 2022 and listening to public comments addressing flexibility and cost concerns, the SEC adopted new rules requiring compliance in annual reports and for material incidents, effective October 2023.

Read more: SEC Cybersecurity Disclosure Rules: How did we get here?

Cybersecurity threats and incidents pose an ongoing and growing risk, especially with the digitalization of operations, remote work, digital payments, and reliance on third-party service providers. Improved disclosure is necessary as cybersecurity risks are increasing, and the cost to companies and investors is rising. 

 Requirements

New Form 8-K Item 1.05 requires companies to disclose significant cybersecurity incidents and file an Item 1.05 Form 8-K within four business days. 

New Regulation S-K Item 106 mandates that companies describe their processes for assessing, identifying, and managing significant risks from cybersecurity threats, disclose whether any risks from earlier cybersecurity incidents have materially affected or are likely to affect the company and describe the board of directors' oversight of cybersecurity risks and management's role and expertise in managing such risks.

Form 6-K and Form 20-F will be amended to require foreign private issuers to furnish information on significant cybersecurity incidents and make periodic disclosures comparable to those required under new Regulation S-K Item 106.

Effective date and timeline
New rules take effect 30 days after publication in the Federal Register. Companies must use Form 10-K and Form 20-F for fiscal years ending on or after Dec. 15, 2023. Form 8-K and Form 6-K disclosures are due 90 days after publication or Dec. 18, 2023. Small firms get 180 extra days for Form 8-K. All registrants must tag disclosures in Inline XBRL after one year.

 Key points to consider

The Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure introduces key requirements for publicly traded companies. Be aware of and carefully consider these points:

  1. Disclosure of Cybersecurity Incidents on Current Reports. Public companies must disclose material cybersecurity incidents within four business days after determining their materiality. This should be made in the company's current reports with the goal of providing timely information to investors about significant cybersecurity events.
  2. Disclosures about Cybersecurity Incidents in Periodic Reports. Companies are required to disclose information about cybersecurity incidents in their annual reports, including details about incidents, their impact, and the company's response. The focus is on providing a comprehensive view of cybersecurity incidents over the reporting period.
  3. Disclosure of a Registrant's Risk Management, Strategy, and Governance Regarding Cybersecurity Risks. Companies must disclose their risk management, strategy, and governance related to cybersecurity in their annual reports (Form 10-K), including strategic approaches, & governance practices.
  4. Disclosure by Foreign Private Issuers (FPIs). Foreign private issuers (FPIs) must provide comparable disclosures in their annual reports (Form 20-F).
  5. Structured Data Requirements. The Commission proposed to mandate that registrants tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. The structured data requirements, as proposed, were adopted with a staggered compliance date of one year.

 Regulations and forms

Regulation S-K Item 106(b) – Risk management and strategy
Registrants must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

Regulation S-K Item 106(c) – Governance
Registrants must describe the board's oversight of risks from cybersecurity threats and management's role in assessing and managing material risks from cybersecurity threats.

Form 8-K Item 1.05 – Material cybersecurity incidents
Registrants must disclose any cybersecurity incident they experience that is determined to be material and describe the material aspects of its (1) nature, scope, and timing; and (2) impact or reasonably likely impact. Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. Registrants must amend prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

Form 20-F
Foreign Private Issuers (FPIs) must describe the board's oversight of and management's role in assessing and managing material risks from cybersecurity threats.

Form 6-K 
FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise.

 WWT's Managed Advisory Risk Service

The Managed Advisory Risk Service (MARS) can help organizations by advising on multiple vital portions of the SEC Rules related to Risk Management and Processes. The MARs service assists an organization with meeting the requirements.

  • Reduce cybersecurity insurance premiums by demonstrating proactive and sophisticated cybersecurity postures.
  • Decrease incident costs ranging from immediate remediation to long-term reputational damage with enhanced cyber resilience.
  • Optimize security investments with strategic allocation of resources and tools, ensuring that expenditures directly contribute to risk reduction.
Steps to Security Risk Management

Managed Advisory Risk Services (MARS) delivers a comprehensive cybersecurity strategy that intersects with the critical pillars of people, processes, and technology within your enterprise. WWT's approach is holistic, protecting your intellectual assets and fortifying compliance, bolstering your brand, and reducing legal risk.