Introduction
The U.S. Securities and Exchange Commission (SEC) recently finalized a new rule for public companies that tightens the requirements for disclosing cybersecurity incidents. The regulation aims to bring consistency and transparency to the disclosure of cyber threats, risks, and incidents. Despite streamlining certain disclosures and omitting elements like board expertise, time is of the essence for companies to prepare for the new reporting obligations.

What Does the New Rule Entail?

Material Cybersecurity Incidents
Companies are now required to disclose material cybersecurity incidents through a Form 8-K filing within four business days of identifying the material nature of an incident. Foreign private issuers will use Form 6-K for this purpose. The disclosure must detail:

Nature of the incident

Scope and timing
Material or likely material impacts on the registrant

Delays in Disclosure
The rule allows for delays in disclosures if the U.S. Attorney General determines that immediate disclosure could substantially risk national security or public safety.

Updates and Amendments
Companies must update their Form 8-K filings with any additional material information not available at the time of the initial filing.

Annual Reporting Requirements
The rule mandates annual disclosures on Form 10-K about processes for identifying, assessing, and managing cybersecurity risks, as well as the board’s oversight and management’s role in the same.

Timeline and Applicability
Companies need to start providing disclosures on Form 10-K beginning with annual reports for fiscal years ending on or after December 15, 2023. Incident disclosures are mandatory starting 90 days after publication in the Federal Register or on December 18, 2023, whichever comes later. Smaller reporting companies get an additional 180 days to comply.

What Was Left Out
The final rule excludes some initially proposed requirements, like disclosure of the board’s cybersecurity expertise and aggregate reporting of previously undisclosed immaterial cybersecurity incidents.

Preparing for Compliance

Gap Analysis
Companies should consider performing a gap analysis to identify discrepancies between current practices and the new requirements.

Cross-Functional Teams
A team comprising the CISO, CIO, legal, and internal audit should be deployed to develop and implement new disclosure controls and procedures.

Cyber Governance
Companies should establish a risk-based cyber strategy aligned with their business strategy, develop a governance framework, and invest in maturing their cybersecurity capabilities.

Incident Response
An incident management framework with dedicated teams and automation support should be in place. Cyber readiness exercises can also help prepare for a material cybersecurity incident.

Conclusion
While the timeline to comply with the new rule is tight, companies have an opportunity to not just meet the new standards but to also strengthen their overall cybersecurity posture. For compliance attorneys, understanding the nuances and requirements of this rule is crucial for advising clients effectively.