The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2024”.

In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosure requirements related to cybersecurity.  In order to comply with the new reporting requirements of the rules, companies will need to make ongoing materiality determinations with respect to cybersecurity incidents and series of related incidents.  The inherent nature of cybersecurity incidents, which are often initially characterized by a high degree of uncertainty around scope and impact, and an SEC that is laser-focused on cybersecurity from both a disclosure and enforcement perspective, combine to present registrants and their boards of directors with a novel set of challenges heading into 2024.

In addition to requiring certain annual disclosures relating to cybersecurity risk management, strategy and governance, the final rules added Item 1.05 to Form 8-K, requiring domestic registrants to disclose any material cybersecurity incident within four business days after a registrant determines that it experienced such an incident (the final rules also amended Form 6-K to add “cybersecurity incidents” as a reporting topic for foreign private issuers).  Now effective for most domestic registrants, new Item 1.05 requires registrants to describe the (i) material aspects of the nature, scope and timing of the incident and (ii) material impact or reasonably likely material impact on the registrant, including on its financial condition and results of operations (new Item 1.05 Form 8-K disclosure will be required for smaller reporting companies starting June 15, 2024).  Registrants must also provide updates by filing amended Form 8-Ks to the extent certain information remains unknown at the time of the initial filing.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.