On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force. Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers. As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred. Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction.
The rule also requires additional disclosures as part a company’s Annual Report on Form 10-K or Form 20-F regarding the company’s cybersecurity risk management and oversight. These requirements include disclosures regarding:
- processes a company maintains for assessing, identifying, and managing material risks from cybersecurity threats;
- a description of the board of directors’ oversight of risks from cybersecurity threats; and
- a description of management’s role in assessing and managing material risks from cybersecurity threats.
Now that the final rule has been published in the Federal Register, the compliance dates have been confirmed. The new requirement to report material cybersecurity incidents on Form 8-K and Form 6-K will take effect for all companies other than smaller reporting companies on December 18, 2023. This requirement will take effect for smaller reporting companies on June 15, 2024. The new disclosures in Annual Reports on Form 10-K and Form 20-F will be required in reports for fiscal years ending on or after December 15, 2023. All issuers will be required to tag Form 8-K and Form 6-K disclosures beginning December 18, 2024, and disclosures in Annual Reports on Form 10-K and Form 20-F will be required in reports for fiscal years ending on or after December 15, 2024. Please refer to Covington’s detailed summary of the final regulation for addition information on this regulation, including exceptions, required form amendments, and next steps for companies to consider.