On July 26th, the SEC adopted their proposed rule related to Cybersecurity Risk Management and Incident Disclosure.
They also announced two new proposals; one related to Conflicts of Interest Involving Predictive Data Analytics, and the other involving Investment Advisers that Solely use the Internet.
- On the new Form 8-K, Item 1.05, requires registrants to disclose any cybersecurity incident determined to be material.
- Material cybersecurity incidents will need an explanation as to the nature, scope, timing, and material impact on the registrant.
- There should be no unreasonable delay in determining if an event is material upon discovery, and the Item 1.05, Form 8-K, should be filed within 4 business days.
- New Regulation S-K, Item 106, requires registrants to describe how they will assess, identify, and manage material risks from cybersecurity threats.
- Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats, and how the leadership’s role and expertise will help in managing cybersecurity threats.
- Form 6-K will be amended to require foreign private issuers to provide information on cybersecurity incidents they are forced to disclose by a foreign jurisdiction.
- Form 20-F will be amended to require foreign private issuers to make periodic disclosures like Reg S-K, Item 106.
- Investment advisers that rely on an exemption under rule 203A-2(e) to register with the SEC would be required at all times to have an operational interactive website through which the adviser provides investment advisory services on an ongoing basis.
- The de minimis exemption in the current rule would be eliminated, requiring internet investment advisers to provide advice to all clients exclusively through their website.
As it relates to the Adopted Rule, the following below are important to be aware of from a timing perspective:
- The final rules will become effective 30 days following publication of the adopting release in the Federal Register.
- The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
- The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
- Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
The two proposals will have a 60-day comment period from the time the release is published in the Federal Register.
As the number of rule adoptions continue into 2023, we suggest Firms take a proactive approach and make the necessary preparations well before the enforcement dates.
For any compliance support you may need, reach out to us today.