On July 26, 2023, the SEC approved a new regulation requiring all public companies to disclose incidents that have a material impact within four days after determining the materiality—not the initial discovery. As cybersecurity risks continue to rise, this ruling will help standardize disclosures to protect investors. The requirements of the disclosure include:
- Reporting a cybersecurity incident on Form 8-K, explaining the nature and scope of the incident
- Annually reporting cybersecurity incidents on Form 10-K, outlining registrants and including:
- Process to assess, identify, and manage material risks cybersecurity threats pose
- Possible material effects from current and previous cybersecurity threats
- Board of directors’ insight and expertise on cybersecurity threats
FORVIS has evaluated the rule and released an in-depth article.
Additional details are available on the SEC website. If you have any questions or need assistance, please reach out to a professional at FORVIS or use the Contact Us form below.