SEC final rules: cybersecurity in focus

What is the SEC?

The SEC is an independent United States federal regulatory agency founded in 1934 and responsible for protecting investors, maintaining fair and orderly functioning of the securities markets, and facilitating capital formation. Federal agencies, in general, are part of the executive branch of government.
These agencies are mandated by Congress
to
issue
regulations based on laws
enacted
by Congress. The process of publishing new regulations is called “rule making”.

‍

Disclosure rules on cybersecurity

The SEC publishes final rules to clarify the interpretation of federal legislation and how laws are to be implemented. The agency can also define requirements and prohibitions, as well as publish guidance or other policy statements.

The final rules published in July 2023 on cybersecurity disclosures were effective from September 5, 2023. Publicly traded companies in the U.S. must now make cybersecurity risk management, strategy and governance disclosures to the SEC beginning with their annual reports for the fiscal year ending on or after December 15, 2023. And for material cybersecurity incident disclosure requirements in Item 1.05 of Form 8-K, companies must begin complying on December 18, 2023.

‍

Companies that qualify as “smaller reporting companies” are given an additional 180 days to begin reporting Item 1.05 on Form 8-K. These smaller reporting companies will begin disclosing material cyber incidents starting June 15, 2024.

The final rules also include reporting and disclosure requirements for Foreign Private Issuers (FPIs). These include Form 20-F for annual reports and Form 6-K for current reports. FPIs are regulated differently and have requirements related to their home country and their reporting requirements.

‍