Skip to content

New SEC Rules: Disclosures on Cybersecurity Risk Management, Strategy, Governance, and Incident



New SEC Rules: Disclosures on Cybersecurity Risk Management, Strategy, Governance, and Incident


Share on:

With cyberattacks and cybersecurity incidents rising, investors want to know whether their assets are protected and safe and whether their investments are secured from cyberattacks.

On July 26, 2023, the US SEC adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents of public companies subject to the Securities Exchange Act of 1934 (“Exchange Act”). With the new rule, organizations need to be involved in managing their cyber risks, be familiar with how they should manage them, and be responsible for providing relevant and useful information.

Although not obliged by SEC guidance from 2011 and 2018, many public companies are already providing cybersecurity disclosures. However, both companies and investors, would benefit more from more consistent and comparable disclosures, making them more effective for decision-making.

Who is affected?

Under the new rules, all types of SEC filers are affected, including domestic registrants, Foreign Private Issuers (“FPIs”), Smaller Reporting Companies (“SRCs”), and Emerging Growth Companies (“EGCs”).

Main Provision

The new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure have two components:

1. Disclosures of material cybersecurity incidents

2. Annual disclosure of cybersecurity risk management, strategy, and governance.

Both cybersecurity disclosures need to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”), as required by the new rules.

Disclosures on Material Cybersecurity Incidents

Under the new rules, Item 1.05 is added to Form 8-K, which requires domestic registrants to disclose the following information regarding a material cybersecurity incident:

1. Material aspects of its nature, scope, and timing

2. Material impact or reasonably likely material impact on the registrant, including the registrant’s financial condition and results of operations.

Under SEC cybersecurity rules, a material incident is an event which is substantially likely to be important to a reasonable investor when making an investment decision. There is no specific financial threshold to consider a cyber incident as material, as it requires an analysis of both quantitative and qualitative information related to the incident.

Any material cybersecurity incident must be filed within four (4) business days of determining an incident was material. It is important to note that the filing is tied not to the discovery of the incident but to the determination that it is material. Registrants should determine whether an incident is material or not without unreasonable delay; however, a registrant may delay filing if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.

It is worth noting that a registrant is not required to include specific or technical information in its disclosures that could affect its incident response, remediation or reveal potential system vulnerabilities.

For FPIs, disclosure must be made on Form 6-K promptly after the incident is disclosed or otherwise publicized in a foreign jurisdiction to any stock exchange or security holders.

Annual Disclosure of Cybersecurity Risk Management, Strategy, and Governance

Companies must now disclose details about their cybersecurity defenses in their annual reports. The new rules introduce Item 106 to Regulation S-K, which mandates disclosures of certain information on cyber risk management, strategy, and governance within Form 10-K filings. FPIs also have a comparable disclosure requirement in their annual reports in, Item 16K which has been added Form 20-F.

Risk Management and Strategy

Under Regulation S-K Item 106(b) – Risk Management and Strategy, registrants are required to describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats. They must also describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. The following are the elements that a registrant should address in its Item 106(b) disclosure, as applicable:

• Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes

• Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes

• Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with using any third-party service provider

With these specific disclosure requirements, registrants are expected to:

1. Identify the methods used by the company in identifying and assessing risks, which should ideally cover incidents involving data theft and business continuity events.

2. Consider addressing residual risks and identifying how the company designs or updates its cybersecurity processes after risk assessment.

3. Consider evaluating the effectiveness of the company’s controls and safeguards, including any oversight and assessment of third parties used in the process.

The list is not exhaustive, and the registrants should consider disclosing other information that is deemed relevant and necessary.


Under Item 106(c) – Governance, registrants are required to describe the board’s oversight of cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. The disclosure must include: