Update: On December 12, 2023, the SEC staff released Compliance & Disclosure Interpretations (C&DIs) providing guidance about the deadlines for a registrant to file an Item 1.05 Form 8-K where the registrant has requested that the Attorney General authorize the deferral of the filing because disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. On December 14, 2023, the SEC staff released a further C&DI to clarify that consulting with the Department of Justice regarding the availability of such a delay does not necessarily result in the determination that the incident is material.
The final rules require disclosure of material cybersecurity incidents on Form 8-K. The rules also require disclosure on Form 10-K of a registrant’s processes to assess, identify and manage material risks from cybersecurity threats, including management’s role in assessing and managing material risks from cybersecurity threats; as well as the board of directors’ oversight.