New SEC Cybersecurity Disclosures

On July 26, 2023, the SEC adopted final rules that require public companies to promptly disclose material cybersecurity incidents on Form 8-K and detailed information regarding their cybersecurity risk management and governance on an annual basis on Form 10-K.

Foreign private issuers (FPIs) will need to disclose in their Form 20-Fs the same information about cybersecurity risk management and governance as U.S. domestic companies, but FPIs will only be required to report material cybersecurity incidents on Form 6-K when they decide to publicly report those incidents or are required to do so under home country rules.

In this client alert, we summarize the new cybersecurity disclosures required by the final rules and highlight where there are meaningful changes from the SEC’s proposed rules from March 2022. We also offer some suggestions for what companies can do to prepare for compliance with the new requirements.

Source: New SEC Cybersecurity Disclosures