The SEC on Wednesday adopted final rules requiring companies that file documents with the commission to disclose material cybersecurity incidents on Form 8-K and provide periodic disclosure of their cybersecurity risk management, strategy, and governance in annual reports.
The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a news release. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The new rules, which become effective 30 days following publication of the adopting release in the Federal Register, require companies to disclose on the new Item 1.05 of Form 8-K “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant,” the news release said.
An Item 1.05 Form 8-K will generally be due four business days after the determination that a cybersecurity incident is material, the SEC said. “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing,” the release said.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will require companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a company’s annual report on Form 10-K.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, the SEC said. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or Dec. 18. Smaller reporting companies will have an additional 180 days before providing the Form 8-K disclosure.
In March 2022, the SEC issued proposed rules, rule amendments, and form amendments regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents by public companies.
Conflicts of interest and predictive data analytics
Also Wednesday, the SEC proposed new rules and amendments to address certain conflicts of interest associated with the use of predictive data analytics by broker-dealers and investment advisers in investor interactions. The proposal would require the following:
- A firm to eliminate or neutralize the effect of conflicts of interest associated with the firm’s use of covered technologies in investor interactions that place the firm’s or its associated person’s interest ahead of investors’ interests
- A firm that has any investor interaction using covered technology to have written policies and procedures reasonably designed to prevent violations of (in the case of investment advisers) or achieve compliance with (in the case of broker-dealers) the proposed rules
- Recordkeeping related to the proposed conflicts rules
Gensler: “These rules would help protect investors from conflicts of interest — and require that, regardless of the technology used, firms meet their obligations not to place their own interests ahead of investors’ interests.”
Internet adviser registration forms
The SEC also proposed rule amendments to modernize the internet adviser exemption from the prohibition on SEC registration for smaller investment advisers. The proposed amendments would do the following:
- Require an investment adviser relying on the exemption to at all times have an operational interactive website through which the adviser provides investment advisory services on an ongoing basis to more than one client.
- Eliminate the current rule’s de minimis exception for non-internet clients, thus requiring that an internet investment adviser must provide advice to all of its clients exclusively through an operational interactive website.
Gensler: “Today’s proposal would modernize the internet advisers exemption to better align registration requirements with modern technology and help the Commission in the efficient and effective oversight of registered investment advisers.”
To comment on this article or to suggest an idea for another article, contact Kevin Brewer at Kevin.Brewer@aicpa-cima.com.