Today’s edition of GRC Newsflash features our Compliance Specialist Frank Kyazze, and covers Risk Updates from the SEC announced on July 26, 2023. Listen to our update here, or read a transcript below:
What You Need to Know About the SEC’s New Rules for Cybersecurity Risk Management
SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
The U.S. Securities and Exchange Commission (SEC) has adopted a groundbreaking decision focused on cybersecurity risk management, strategy, governance, and disclosure.
This move stems from an evolving landscape where cyber threats are rampant and consistent reporting on these threats is becoming paramount. The essence is clear. Whether a business suffers a tangible loss, like a factory fire, or an intangible one, like a significant cyber breach, it matters to investors.
SEC Chair Gary Gensler underscored this view, advocating for a uniform, transparent, and valuable reporting mechanism.
Now let’s demystify some terms before we get into the nitty gritty of the SEC cybersecurity risk management rules. The Form 8-K is like an urgent news update that companies use to notify investors about key events. With the new rules, if they face a major cybersecurity incident, they have to release one of these updates within four business days.
However, this can be deferred in specific national security cases. Regulation S-K Item 106 – think of this as a detailed table of contents or guidelines a company follows when writing their annual reports. Now, they’ll need to include information about how they handle cyber threats. When you hear XBRL, imagine a barcode system for financial reports. Companies will use this standardized format to tag their reports, making specific pieces of data easier to identify and understand.
So what does the SEC want companies to do in regards to cyber risk? Well, companies must report significant cybersecurity incidents on Item 105 of Form 8-K within four business days. However, this can be deferred if the U.S. Attorney General believes that immediate disclosure jeopardizes national security or public safety. With Regulation S-K Item 106, companies will outline their risk management approaches concerning cyber threats, from board oversight to the hands-on management of these risks.
Lastly, foreign private issuers, often traded on U.S. exchanges, will also adhere to similar disclosure obligations. When do these rules go live? They’re set to take effect 30 days post their Federal Register publication. Initial disclosures will accompany annual reports for fiscal periods ending on or after December 15th, 2023. A concession exists for smaller entities, granting them an extra 180 days for the Form 8-K disclosure. All companies will eventually transition to the Inline XBRL format for tagging disclosures, commencing one year post the initial compliance date.
In closing, the SEC’s stance is unmistakable. Cyber security in today’s interconnected business ecosystem is not a mere IT concern, but a holistic business challenge. By instating these regulations, the SEC aims to level the playing field, assuring that stakeholders are constantly informed.