A Reference Guide for Complying with the SEC’s New Cybersecurity Reporting Requirements

New cybersecurity disclosure rules adopted by the Securities and Exchange Commission (SEC) in July 2023 are now effective. Public companies that experience a material cybersecurity incident are now required to file a Form 8-K (under Item 1.05) within four business days after determining the incident is material. Smaller reporting companies have an extended compliance date of June 14, 2024. In addition, public companies with fiscal years ending on or after December 15, 2023 are required to include specified disclosures in their Form 10-Ks about their processes to assess, identify, and manage cybersecurity risks, management’s role in assessing and managing material cybersecurity risks and the board of directors’ oversight of cybersecurity risks. Similar corresponding requirements apply to foreign private issuers.

In a December 14, 2023 speech by Erik Gerding, the Director of the SEC’s Division of Corporation Finance, Mr. Gerding highlighted that the purpose of the new cybersecurity disclosure rules is to provide investors with “timely, consistent, comparable and decision-useful information they need to make informed investment and voting decisions.” At the same time, he emphasized that the new disclosure rules are not intended to require that companies take any specific actions to address their cybersecurity risks and threats, and that a company’s actions in response to these risks should be based on its particular facts and circumstances. He also reminded companies that the new Form 8-K’s current reporting of material cybersecurity incidents does not require detailed disclosure of specific or technical information about a company’s planned response to a cybersecurity incident, its cybersecurity systems, related networks and devices or any potential system vulnerabilities that would impede the company’s response or remediation of the incident.

To assist companies in complying with the SEC’s new cybersecurity reporting requirements, we have prepared an SEC Cybersecurity Disclosure Reference Guide, which is available here. 

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Shelly Heyduk, an O’Melveny partner licensed to practice law in California, Robert Plesnarski, an O’Melveny partner licensed to practice law in the District of Columbia and Pennsylvania, Michelle Earley, an O’Melveny partner licensed to practice law in Texas, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Sid Mody, an O’Melveny partner licensed to practice law in Texas, and Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.