On July 26, 2023, the SEC adopted final rules that require public companies to report material cybersecurity incidents within four days. The new rules also require annual disclosure of a company’s processes to assess, identify and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks. Foreign private issuers will be subject to similar reporting requirements in Forms 6-K and 20-F, as described below.
Public companies should work with counsel and technical consultants to assess their cybersecurity incident response programs and be prepared to comply with more robust and timely SEC disclosure requirements while not compromising the effectiveness of response or remediation plans.
The compliance date for the Form 8-K and Form 6-K cybersecurity reporting requirement will be the later of 90 days (or 270 days for smaller reporting companies) after publication in the Federal Register or December 18, 2023 (with such disclosures required to be XBRL tagged by the later of 465 days after publication in the Federal Register or…
