The SEC on Wednesday, July 26, adopted final rules requiring companies that file documents with the commission to disclose material cybersecurity incidents.
Under the final rules, companies must disclose those incidents on Form 8-K and provide periodic disclosure of their cybersecurity risk management, strategy and governance in annual reports on Form 10-K.
In their disclosures, businesses will need to describe the material aspects of a cybersecurity incident’s nature, scope, timing and material impact.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats. Read more.