SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

July 27, 2023

The SEC recently announced that it adopted rules requiring public companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. i-SIGMA CEO Nathan Campbell provides comment on the recently adopted rules.

Dear i-SIGMA Members,

I’m writing to inform you about a significant update from the Securities and Exchange Commission (SEC) regarding cybersecurity disclosures for public companies. The new rules will require registrants to disclose material cybersecurity incidents and provide annual disclosures on their cybersecurity risk management, strategy, and governance. As a non-profit supporting information governance professionals, we understand the importance of proper policies and procedures that protect sensitive information. This new requirement has been introduced, aiming to enhance transparency and accountability in the face of cybersecurity incidents. As part of the regulatory changes, registrants will now be required to disclose any material cybersecurity incidents on the recently introduced Item 1.05 of Form 8-K. Under these rules, registrants must promptly report the nature, scope, timing, and material impact of such incidents. In most cases, the disclosure on Form 8-K will be due within four business days of identifying the incident’s materiality. Moreover, these new regulations also introduce Regulation S-K Item 106, which mandates registrants to provide detailed insights into their processes for assessing, identifying, and managing material risks arising from cybersecurity threats. This includes disclosures of the board of directors’ oversight and management’s role and expertise in handling cybersecurity risks.

i-SIGMA members prioritize safeguarding sensitive data, these disclosures will become a mandatory part of an organization’s annual reports. With these changes, the government is striving to strengthen cybersecurity practices and ensure that organizations are prepared to tackle potential threats effectively. Together, let’s uphold a secure and resilient business environment for all the clients we serve.

Thanks, Nate

You can read the full press release from the SEC here >>