Skip links

SEC’s new cybersecurity rules – In summary

SEC’s new cybersecurity rules

The U.S. Securities and Exchange Commission (SEC) has recently adopted new rules to enhance the cybersecurity posture of public companies.

As cyber-attacks are on the rise and the SEC recognizes the growing threat cybersecurity incidents pose to businesses and investors they needed to make the update in the rules. The new rules aim to provide investors with more transparent and timely information about a company’s cybersecurity risks and how they are managed.

The new rules will be effective 30 days after publication in the Federal Register, with annual report disclosures required for fiscal years ending on or after December 15, 2023 and the 4-day reporting rule is effective sometime around April 2024.

Here’s a summary of the key points:

  • Incident Disclosure: Companies are required to disclose material cybersecurity incidents within four business days after determining the incident’s materiality.
  • Risk Management: Companies must describe their processes for identifying, assessing, and managing cybersecurity risks.
  • Strategy and Governance: Annual disclosures must include information on cybersecurity risk management, strategy, and governance.
  • Board Oversight: Disclosures must detail the board of directors’ oversight of cybersecurity risks.
  • Materiality Definition: The SEC emphasizes the importance of materiality in relation to how cybersecurity incidents could influence investor decisions.
  • Foreign and Private Issuers: The rules also apply to foreign private issuers, requiring comparable disclosures.

Key Components of the SEC Rules

  1. Incident Reporting:
    • Public companies must report material cybersecurity incidents on Form 8-K within four business days of determining an incident is material.
    • This accelerated reporting timeframe ensures investors receive timely information to assess potential impact.
  2. Annual Cybersecurity Disclosures:
  • Companies must provide disclosures on Form 10-K (domestic companies) or Form 20-F (foreign private issuers) about their:
    • Cybersecurity risk management policies and procedures
    • Strategies for identifying and mitigating cybersecurity risks
    • Board-level oversight of cybersecurity
    • Management’s role and expertise in assessing and managing cybersecurity risk
    • Previous material cybersecurity incidents and any updates to previously reported incidents

Effective Dates on the new rules

  • Incident Reporting: The 4-day reporting rule is effective sometime around April 2024 for most companies. Smaller reporting companies have a slightly longer grace period.
  • Annual Disclosures: Disclosures on cybersecurity risk management, strategy, and governance will become effective for fiscal years ending on or after December 15, 2023.

What Companies Should Do

  • Assess Readiness: Review current cybersecurity programs, incident response plans, and disclosure practices.
  • Identify Gaps: Find any areas where your company may not be meeting the new requirements and develop a plan to address them.
  • Prepare Disclosures: Start drafting the required disclosures for inclusion in future annual reports.
  • Board-Level Attention: Ensure board members are aware of their oversight responsibilities related to cybersecurity.
  • Cross Team Collaboration: Coordinate between legal, IT, communications, finance, and other teams for efficient and comprehensive disclosure.

Important Considerations

  • Materiality: Companies will need to exercise judgment when determining whether a cybersecurity incident is “material” and requires disclosure. The SEC provides guidance on this.
  • Consistency: Disclosures should be consistent in format and content, allowing investors to easily compare cybersecurity practices between companies.
  • Staying Updated: As the cybersecurity landscape evolves, companies need to adapt their risk management practices and disclosures accordingly.

About the SEC

The federal securities laws empower the Securities and Exchange Commission (SEC) with broad authority over all aspects of the securities industry. The SEC’s mission is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.

The SEC has up to five Commissioners appointed by the President on the advice and consent of the Senate. No more than three Commissioners can be members of the same political party. 

Securities Act of 1933

Often referred to as the “truth in securities” law, the Securities Act of 1933 has two basic objectives:

  • require that investors receive financial and other significant information concerning securities being offered for public sale; and
  • prohibit deceit, misrepresentations, and other fraud in the sale of securities.

See the full text of the Securities Act of 1933.

Purpose of Registration

A primary means of accomplishing these goals is the disclosure of important financial information through the registration of securities. This information enables investors, not the government, to make informed judgments about whether to purchase a company’s securities. While the SEC requires that the information provided be accurate, it does not guarantee it. Investors who purchase securities and suffer losses have important recovery rights if they can prove that there was incomplete or inaccurate disclosure of important information.

The Registration Process

In general, securities sold in the U.S. must be registered. The registration forms companies file provide essential facts while minimizing the burden and expense of complying with the law. In general, registration forms call for:

  • a description of the company’s properties and business;
  • a description of the security to be offered for sale;
  • information about the management of the company; and
  • financial statements certified by independent accountants.

Registration statements and prospectuses become public shortly after filing with the SEC. If filed by U.S. domestic companies, the statements are available on the EDGAR database accessible at Registration statements are subject to examination for compliance with disclosure requirements.

Not all offerings of securities must be registered with the Commission. Some exemptions from the registration requirement include:

  • private offerings to a limited number of persons or institutions;
  • offerings of limited size;
  • intrastate offerings; and
  • securities of municipal, state, and federal governments.

By exempting many small offerings from the registration process, the SEC seeks to foster capital formation by lowering the cost of offering securities to the public.

Securities Exchange Act of 1934

With this Act, Congress created the Securities and Exchange Commission. The Act empowers the SEC with broad authority over all aspects of the securities industry. This includes the power to register, regulate, and oversee brokerage firms, transfer agents, and clearing agencies as well as the nation’s securities self regulatory organizations (SROs). The various securities exchanges, such as the New York Stock Exchange, the NASDAQ Stock Market, and the Chicago Board of Options are SROs. The Financial Industry Regulatory Authority (FINRA) is also an SRO.

The Act also identifies and prohibits certain types of conduct in the markets and provides the Commission with disciplinary powers over regulated entities and persons associated with them.

The Act also empowers the SEC to require periodic reporting of information by companies with publicly traded securities.

Corporate Reporting

Companies with more than $10 million in assets whose securities are held by more than 500 owners must file annual and other periodic reports. These reports are available to the public through the SEC’s EDGAR database.

Proxy Solicitations

The Securities Exchange Act also governs the disclosure in materials used to solicit shareholders’ votes in annual or special meetings held for the election of directors and the approval of other corporate action. This information, contained in proxy materials, must be filed with the Commission in advance of any solicitation to ensure compliance with the disclosure rules. Solicitations, whether by management or shareholder groups, must disclose all important facts concerning the issues on which holders are asked to vote.

Tender Offers

The Securities Exchange Act requires disclosure of important information by anyone seeking to acquire more than 5 percent of a company’s securities by direct purchase or tender offer. Such an offer often is extended in an effort to gain control of the company. As with the proxy rules, this allows shareholders to make informed decisions on these critical corporate events.

Insider Trading

The securities laws broadly prohibit fraudulent activities of any kind in connection with the offer, purchase, or sale of securities. These provisions are the basis for many types of disciplinary actions, including actions against fraudulent insider trading. Insider trading is illegal when a person trades a security while in possession of material nonpublic information in violation of a duty to withhold the information or refrain from trading.

Registration of Exchanges, Associations, and Others

The Act requires a variety of market participants to register with the Commission, including exchanges, brokers and dealers, transfer agents, and clearing agencies. Registration for these organizations involves filing disclosure documents that are updated on a regular basis.

The exchanges and the Financial Industry Regulatory Authority (FINRA) are identified as self-regulatory organizations (SRO). SROs must create rules that allow for disciplining members for improper conduct and for establishing measures to ensure market integrity and investor protection. SRO proposed rules are subject to SEC review and published to solicit public comment. While many SRO proposed rules are effective upon filing, some are subject to SEC approval before they can go into effect.

Trust Indenture Act of 1939

This Act applies to debt securities such as bonds, debentures, and notes that are offered for public sale. Even though such securities may be registered under the Securities Act, they may not be offered for sale to the public unless a formal agreement between the issuer of bonds and the bondholder, known as the trust indenture, conforms to the standards of this Act.

See the full text of the Trust Indenture Act of 1939.

Investment Company Act of 1940

This Act regulates the organization of companies, including mutual funds, that engage primarily in investing, reinvesting, and trading in securities, and whose own securities are offered to the investing public. The regulation is designed to minimize conflicts of interest that arise in these complex operations. The Act requires these companies to disclose their financial condition and investment policies to investors when stock is initially sold and, subsequently, on a regular basis. The focus of this Act is on disclosure to the investing public of information about the fund and its investment objectives, as well as on investment company structure and operations. It is important to remember that the Act does not permit the SEC to directly supervise the investment decisions or activities of these companies or judge the merits of their investments.

To read more Cybersecurity related arctiles , click here


material cybersecurity incidents – risk management strategy and governance -foreign private issuers

What is the new SEC rule for cybersecurity?

What are the new disclosure requirements for the SEC?

What is the new item 106 in Regulation SK?

What is the SEC in cyber security?