As expected, the Securities and Exchange Commission adopted new rules today requiring publicly traded companies to make more disclosures about the cyber risks they have and the specific cyber attacks they suffer.
The final rules are largely in step with what the SEC first proposed last year: annual discussion of cyber risks in the company’s Form 10-K, and immediate disclosure of “material cybersecurity incidents” in Form 8-K filings within four days of the company deciding that the incident is indeed material.
The rules will go into effect for public reports filed after Dec. 15, 2023 — meaning, they’ll start appearing in annual reports that arrive in early 2024, and companies have only several months to retool their disclosure procedures to align with the new rules. Smaller reporting companies will have an extra six months to comply with the requirement for 8-K filings about cyber incidents, but they do not get any extra time for the annual disclosures in the 10-K.
The commission voted to adopt the rules on the usual 3-2 partisan split.
The most notable change from the original proposal is…