SEC Adopts Rules Requiring Public Companies to Disclose Material Cybersecurity Incidents and Risk Management Strategies

Today, the SEC adopted rules to help investors understand material risks from cybersecurity threats. Companies must now disclose material cybersecurity incidents that occur on their Form 8-K four business days after they discover them. In addition, companies have to provide information regarding their cybersecurity risk management strategy and governance in their annual report, on Form 10-K. Foreign private issuers may provide the same disclosure required by Form 8-K and Form 10-K on Forms 6-K and 20-F, respectively. The new rules will take effect 30 days after they are published in the Federal Register. Companies must begin providing disclosure on their Form 8-K and Form 6-K 90 days after publication of the rule and on their Form 10-K and Form 20-F one year later. Tag requirements for structured data need to be met one year after initial compliance with the related disclosure requirement. With the adoption of these rules, investors will have access to information about material cybersecurity incidents and the company’s ability to manage risks associated with them, which will help inform better decision-making.