The U.S. Securities and Exchange Commission (SEC) has introduced new regulations requiring companies to disclose substantial cybersecurity incidents. These rules also mandate yearly disclosure of key information regarding cybersecurity risk management, strategy, and governance. The mandate applies to foreign private issuers as well.

SEC Chair Gary Gensler emphasizes the significance of these disclosures to investors, suggesting that they will enable more consistent, comparable, and actionable decision-making. He stated that this would benefit not only the investors but also the companies and markets in which they operate.

Under these rules, companies will need to report any material cybersecurity incident through the new Item 1.05 of Form 8-K, including the nature, scope, and timing of the incident, along with its impact. This report is typically due four business days after the incident is determined to be material. Exceptions can be made in cases where the U.S. Attorney General deems immediate disclosure a potential national security risk.

Furthermore, companies will need to explain their processes for identifying, assessing, and managing cybersecurity threats in their annual report on Form 10-K. The disclosures should include the effects of such threats and prior incidents and detail how their board of directors oversees these risks.

The rules come into effect 30 days after publication in the Federal Register. From December 15, 2023, yearly disclosures will be mandatory for fiscal years ending on or after this date. Smaller companies get an extra 180 days to prepare for the disclosure through Form 8-K. Disclosures must be tagged in Inline XBRL one year after initial compliance with the relevant disclosure requirement.