Key Takeaways
- On July 26, 2023, the Securities and Exchange Commission (SEC) adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents.
- The rules require reporting companies to file a Form 8-K under a new Item 1.05 to report certain information in the event of a material cybersecurity incident.
- The rules also require reporting companies to describe in their annual reports under a new Item 1C both of the following:
- The company’s processes for assessing, identifying and managing material risks of cybersecurity threats in sufficient detail for a reasonable investor to understand the processes.
- Whether risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to have a material effect on the company, including on business strategy, results of operations or financial condition, and if so, how.
- The annual report must also disclose the board of directors’ and management’s roles in overseeing and managing material risks of cybersecurity threats.
- Companies are advised to ensure their incident assessment and…
