News

Readying Your Company For The New SEC Cyber Incident Disclosure And Risk Management Rules

Steve Durbin
Published 12 - July - 2024
Read the full article on Forbes
riskforbesgovernance

Cyber-attacks and data breaches can cause serious financial, legal, operational and reputational damages to companies and investors (registration required). The global average cost of a data breach is $4.45 million. In response, the US Securities and Exchange Commission (SEC) unveiled a new set of rules (in July 2023) that requires publicly traded companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and report their cybersecurity risk management, strategy and governance practices as part of Item 1C of their 10-K filings.

What Is Item 1.05 Of Form 8-K?

The Item 1.05 of Form 8-K requires publicly traded companies to notify the SEC of cybersecurity incidents within four days of a company determining that the impact of the attack or breach is “material.” While the definition of the term material is vague, companies are required to report any incident that could have material impact on investors. The disclosure must describe in detail the nature, scope and timing of the incident, the material impact or the likely material impact on business operations and finances and the company’s response strategy.

What Is Item 1C of Form 10-K?

Publicly traded companies have to submit a 10-K form annually, which includes details about their operations, products and services, financial aspects, potential risks and liabilities. The 10-K form now includes a new section where companies will have to describe and disclose its processes for, “assessing and managing material risks from cybersecurity threats” as well as “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the [company] , including its business strategy, results of operations, or financial condition.”

The idea is to help investors assess the risk to their investments “in the same way they receive consistent and comparable disclosure about other risks that public companies face.”

More SEC guidance from the ISF

Array
podcast

Lost in Regulation: Bridging the cyber security gap for SMEs

Former civil servant Brian Lord examines the cybersecurity challenges and regulatory hurdles for SMEs within government supply chains.

Listen Now on Lost in Regulation: Bridging the cyber security gap for SMEs
Array
event

Decoding the SEC Cybersecurity Disclosure

Gain exclusive insight as the ISF and SEC joined forces to cut through the noise surrounding their latest cyber security rules.

Location Online
Watch On-Demand on Decoding the SEC Cybersecurity Disclosure
news
ISF Expert Opinion

What does the SEC indictment of SolarWinds mean for security leadership?

Paul Watts, Distinguished Analyst at the ISF explores what the SEC indictment of SolarWinds means for security leadership

published 29 - November - 2023
Read More on What does the SEC indictment of SolarWinds mean for security leadership?
Readying Your Company For The New SEC Cyber Incident Disclosure And Risk Management Rules
Read the full article on Forbes