On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring U.S. public companies to disclose material cybersecurity incidents on Form 8-K and, on an annual basis, disclose material information regarding their cybersecurity risk management, strategy and governance on Form 10-K. The final rules also require foreign private issuers to make comparable disclosures on Forms 6-K and 20-F.
The SEC observed that disclosure practices regarding cybersecurity incidents, risk management and governance have been inconsistent, despite interpretive guidance issued by the SEC in 2011 and 2018. The SEC indicated that the final rules are intended to result in enhanced, consistent, comparable and decision-useful disclosures that would allow investors to evaluate public companies’ exposure to material cybersecurity risks and incidents and their ability to manage and mitigate those risks.
In a departure from the proposed rules, the final rules do not require quarterly disclosures under Form 10-Q, but rather periodic amendments to Form 8-K―and they do not require registrants to identify a board cybersecurity expert. Additionally, the rules explicitly…
