In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring that public companies report material cybersecurity incidents under new Item 1.05 of Form 8-K, and disclose information regarding their cybersecurity risk management, strategy, and governance in annual reports on Form 10-K. Foreign private issuers are subject to similar disclosure requirements in Forms 6-K and 20-F. Although the final rules were effective this past September, the SEC provided for transition periods for compliance with the new disclosure requirements, which transition periods will end soon.
Material Cybersecurity Incident Reporting. Companies (other than smaller reporting companies) will be required to comply with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K starting on December 18, 2023. Smaller reporting companies will have an additional 180 days to comply, and thus must begin complying with the incident disclosure requirements on June 15, 2024. All companies will need to begin tagging these disclosures in Inline XBRL starting on December 18, 2024.
As a reminder, subject to limited exceptions, companies will be required to…
