SEC Adopts New Cybersecurity Disclosure Requirements For Public Companies

August 3, 2023

On July 26, 2023, the U.S. Securities and Exchange Commission adopted new cybersecurity related disclosure requirements that will apply to public companies that are subject to periodic reporting obligations under US federal securities law. The SEC is amending Form 8-K to require registrants that use this form to report specified information related to a cybersecurity incident within four business days of determining that the incident is material. The SEC is also amending Form 6-K to require registrants that qualify as foreign private issuers to promptly furnish information related to a material cybersecurity incident when specified conditions are met. In addition, registrants will be required to include disclosures regarding cybersecurity risk management, strategy, and governance in their annual reports. Asset-backed issuers, which typically are special purpose vehicles with limited activities, are exempt from these disclosure requirements.

Download PDF