The new SEC cybersecurity rules (Release No. 33-11216), codify and build on earlier SEC guidance on cybersecurity risks and incidents and require specific cybersecurity-related disclosures.
The new requirements include:
- Disclosures within 4 business days of material cybersecurity incidents on Form 8-K beginning December 18, 2023
- Standardized annual disclosures of cybersecurity policies and procedures and updates of prior cybersecurity incident disclosures
Key Requirements
1. Public Disclosure of Cybersecurity Incidents: Beginning on December 18, 2023 (June 15, 2025 for smaller reporting companies), companies are required to disclose material cybersecurity incidents within 4 business days (as a new Item 1.05 of Form 8-K). This disclosure is triggered by a company’s determination that the incident is material to investors. Companies are required to make that determination as soon as reasonably practicable after the incident.
Once a cybersecurity incident is determined to be material, companies must disclose:
- When the incident was discovered and if it is still ongoing
- A brief description of the nature and scope of the incident
- Whether data was stolen, altered,…
