New SEC Disclosure Rules (2023)

August 3, 2023

Stay compliant & safeguard your practice! Learn how SEC's new cybersecurity disclosure rules impact tax pros. Master reporting with expert insights.

Introduction:

The Securities and Exchange Commission (SEC) has taken a significant step towards enhancing transparency and accountability in the business world. In a recent press release, the SEC announced new rules that will require registrants, including tax and accounting professionals, to disclose material cybersecurity incidents they experience and provide annual disclosures regarding their cybersecurity risk management, strategy, and governance. Let’s delve into the key details of these rules and understand how they impact professionals in the tax and accounting industry.

The Importance of Cybersecurity Disclosure:

SEC Chair Gary Gensler emphasized the significance of cybersecurity disclosure, comparing it to disclosing other material events that could impact investors. The goal is to ensure consistency, comparability, and usefulness of information for companies and investors alike.

Disclosure Requirements:

The new rules mandate registrants to disclose material cybersecurity incidents on the new Item 1.05 of Form 8-K. This disclosure should include the nature, scope, and timing of the incident, along with its material impact or reasonably likely material impact on the registrant. Companies must file an Item 1.05 Form 8-K within four business days of determining that a cybersecurity incident is material. However, the disclosure may be delayed if immediate disclosure poses a substantial risk to national security or public safety.

Regulation S-K Item 106:

The newly added Regulation S-K Item 106 requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Additionally, they must disclose the material effects or reasonably likely material effects of such risks and any previous cybersecurity incidents. The description of the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in managing these risks should also be provided in the registrant’s annual report on Form 10-K.

Comparable Disclosures for Foreign Private Issuers:

The rules extend to foreign private issuers, requiring them to make comparable disclosures. Material cybersecurity incidents must be disclosed on Form 6-K, while cybersecurity risk management, strategy, and governance disclosures should be made on Form 20-F.

Effective Date and Compliance:

The final rules will become effective 30 days after publication in the Federal Register. Companies will need to adapt quickly, as the Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.

Conclusion:

For tax and accounting professionals, compliance with the new cybersecurity disclosure rules is essential. Ensuring transparency in cybersecurity incidents and risk management strategies is not only crucial for investors but also builds trust with clients. By understanding the requirements and deadlines, professionals can efficiently prepare and file their disclosures, safeguarding their clients and businesses in an ever-evolving digital landscape. Stay vigilant, stay compliant, and protect what matters most. Visit Watch Cloud Cyber Security to learn more about our portfolio of cybersecurity solutions designed for tax and accounting professionals.