The final rules require disclosure of material cybersecurity incidents on Form 8-K. The rules also require disclosure on Form 10-K of a registrant’s processes to assess, identify and manage material risks from cybersecurity threats, including management’s role in assessing and managing material risks from cybersecurity threats; as well as the board of directors’ oversight.
Applicability
- Public companies subject to the Securities Exchange Act of 1934 – excluding certain Canadian foreign private issuers and asset-backed securities issuers.
Relevant dates
The final rules are effective September 5, 2023 and require the following:
- All registrants must provide disclosures in Regulation S-K Item 106 and comparable items in Form 20-F beginning with annual reports for fiscal years ending on or after December 15, 2023.
- All registrants – other than smaller reporting companies – must begin complying with the incident disclosure requirements in Form 8-K Item 1.05 and in Form 6-K on December 18, 2023.
- Smaller reporting companies must begin complying with Form 8-K Item 1.05 on June 15, 2024.
Inline XBRL compliance begins one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
- For Regulation S-K Item 106 and Form 20-F, all registrants must begin tagging disclosures in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024.
- For Form 8-K Item 1.05 and Form 6-K, all registrants must begin tagging disclosures in Inline XBRL beginning December 18, 2024.
Key impacts
The SEC issued a Fact Sheet summarizing the key provisions of the final rules. The cybersecurity disclosure guidance issued by the SEC staff in 2011 and by the Commission in 2018 supplement the final rules.
Material cybersecurity incidents to be reported on Form 8-K
Under new Item 1.05 of Form 8-K registrants must disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.
This information includes:
- A description of the material aspects of the nature, scope, and timing of the incident.
- The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
A registrant may delay providing the disclosures for an initial period of 30 days at the determination of the US Attorney General, if it is determined that the disclosures pose a substantial risk to national security or public safety. Additional requests for delay may be acceptable in certain circumstances.
Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.
Cybersecurity risk management, strategy and governance disclosures
Risk management and strategy
Registrants must provide in their Form 10-K a description of their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, including whether:
- The described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes, and how.
- The registrant engages assessors, consultants, auditors or other third parties in connection with such processes.
- The registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant – including its business strategy, results of operations, or financial condition and if so, how.
Governance
The final rules require disclosures about the board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats.
Foreign Private Issuers (FPIs)
The final rules align incident reporting and periodic disclosures of FPIs on Forms 6-K and 20-F with those required for domestic registrants.
Structured data requirements
The final rules require registrants to report and disclose cybersecurity information in Inline XBRL format.
Compliance with the structured data requirements is delayed for one year beyond initial compliance with the related disclosure requirement.
Related content
Subscribe to our newsletter
Receive timely updates on accounting and financial reporting topics from KPMG.
Receive timely updates on accounting and financial reporting topics from KPMG.
Sign up now
Accounting Research Online
Access our accounting research website for additional resources for your financial reporting needs.
Access our accounting research website for additional resources for your financial reporting needs.
Access ARO