SEC rules address cybersecurity risk management, strategy

The Securities and Exchange Commission (SEC) recently adopted rules addressing cybersecurity risk management, strategy and governance.

© Shutterstock

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Gensler said through companies disclosing material cybersecurity information, the rules will benefit investors, companies and the markets connecting them.

The SEC outlined the new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

Additionally, the new rules include Regulation S-K Item 106, per the SEC, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats – as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.

The final rules will become effective 30 days following publication of the adopting release in the Federal Register, the SEC noted.