How to Stay Ahead of the Curve on Cybersecurity: New SEC Rules You Need to Know

If you're like me, you probably have a love-hate relationship with technology. On one hand, it makes our lives easier, faster, and more connected. On the other hand, it also exposes us to all kinds of cyber threats that can harm our businesses, our reputations, and our wallets.

Cybersecurity is no longer a nice-to-have but a must-have for public companies. Cyberattacks can cause serious damage to your operations, your finances, and your credibility. They can also get you in trouble with the law and the regulators.

That's why the Securities and Exchange Commission (SEC) recently adopted new rules that require public companies to disclose more information about their cybersecurity incidents and practices. The SEC wants to ensure that investors have a clear picture of how companies are dealing with cyber risks and protecting their assets and data.

The new rules will take effect soon, so you need to be prepared.

Most public companies must adhere to these Form 8-K incident disclosure requirements, with compliance starting on December 18, 2023, or 90 days after the final rule is published in the Federal Register. However, smaller reporting companies have the option for an extension, pushing their compliance deadline to either June 15, 2024, or 270 days after the final rule's publication date in the Federal Register. Furthermore, all public companies must comply with the new annual disclosure requirements, commencing with the annual report on either Form 10-K or 20-F for the fiscal year ending on or after December 15, 2023. By being aware of and adhering to these new regulations, companies can ensure they are transparent and diligent in their cybersecurity and risk management approach.

Here are some of the main points you need to know to be perpared:

• Tell it like it is: If you experience a cybersecurity incident that is material to your business, you need to report it on Form 8-K within four business days after you find out about it. You need to describe what happened, when it happened, how it affected you, and what you're doing about it. You can't hide or sugarcoat the facts. The only exception is if the U.S. Attorney General tells the SEC that disclosing the incident would jeopardize national security or public safety.
• Show your cards: You must also disclose how you manage your cybersecurity risks and your strategy and governance. You need to explain how you assess, identify, and handle cyber threats, how they affect or could affect your business, and how your board of directors and management oversee and deal with them. You need to include this information in your annual report on Form 10-K.
• Don't forget the foreigners: If you're a foreign private issuer, you're not off the hook. You must follow similar rules on Form 6-K for cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.

The new rules are part of the SEC's efforts to modernize its disclosure framework and to promote market efficiency and investor protection. They also reflect cybersecurity issues' growing importance and complexity for public companies and their investors.

So what does this mean for you? It means that you need to review your existing policies and procedures regarding cybersecurity disclosure and risk management, as well as your internal controls over financial reporting and disclosure controls. It also means that you must ensure that you have appropriate systems and processes in place to identify, evaluate, and report material cybersecurity incidents in a timely manner.

If you have any questions or comments about the new rules or how they may affect your company, please feel free to reach out to me or leave a comment below.