Readying Your Company For The New SEC Cyber Incident Disclosure And Risk Management Rules
Cyber-attacks and data breaches can cause serious financial, legal, operational and reputational damages to companies and investors (registration required). The global average cost of a data breach is $4.45 million. In response, the US Securities and Exchange Commission (SEC) unveiled a new set of rules (in July 2023) that requires publicly traded companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and report their cybersecurity risk management, strategy and governance practices as part of Item 1C of their 10-K filings.
What Is Item 1.05 Of Form 8-K?
The Item 1.05 of Form 8-K requires publicly traded companies to notify the SEC of cybersecurity incidents within four days of a company determining that the impact of the attack or breach is “material.” While the definition of the term material is vague, companies are required to report any incident that could have material impact on investors. The disclosure must describe in detail the nature, scope and timing of the incident, the material impact or the likely material impact on business operations and finances and the company’s response strategy.
What Is Item 1C of Form 10-K?
Publicly traded companies have to submit a 10-K form annually, which includes details about their operations, products and services, financial aspects, potential risks and liabilities. The 10-K form now includes a new section where companies will have to describe and disclose its processes for, “assessing and managing material risks from cybersecurity threats” as well as “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the [company] , including its business strategy, results of operations, or financial condition.”
The idea is to help investors assess the risk to their investments “in the same way they receive consistent and comparable disclosure about other risks that public companies face.”