The Definitive Guide to Mandated SEC 10-K Cybersecurity Disclosures

SEC final cyber security disclosure requirements

As of Dec 18, 2023, the new SEC cyber rules are in effect. The SEC issued these new rules regarding cybersecurity disclosure requirements. These rules apply to all public companies.

In this post, we shall explore the Mandated SEC 10-K Cybersecurity Disclosures, their impact on your company’s annual reporting, and the essential elements to include in your company’s 10-K for the 2023 financial results. We shall detail the specifics of your disclosures and highlight sections of the 10-K that need attention. You shall conduct an audit or assurance process to ensure the accuracy and consistency of these disclosures. We also explain how these disclosures are a necessary part of the company’s annual report to shareholders.

Covered Companies

All publicly traded companies with a class of equity securities listed on a US stock exchange are subject to SEC rules, including these mandated SEC 10-K cybersecurity disclosures. Foreign companies that are listed on US exchanges are also required to comply with these requirements.

Private companies do not fall under SEC jurisdiction because they are not required to file annual reports with the Commission.

The Final SEC 10-K Cybersecurity Disclosures 

The key to these disclosures is to know the purpose of the new rules. The purpose of the new SEC 10-K cyber disclosure rules is to inform shareholders, and not to have a detailed understanding of how companies manage their cyber risk. The final rules require the disclosure of information material to investment decisions, so it is easy to locate while not disclosing security-sensitive details.

Action: Create a section under Item 1 and label it Cyber Risk Program.

The final rules focus on the processes and not on policies and procedures. This shift to ‘process’ disclosure implies your company need not disclose if you have or do not have written policies or procedures. The final rules focus on ‘material’ risks and not all risk types such as intellectual property theft, fraud, extortion, violation of privacy laws, and such.

Action: Create a section under Items 1 and label it Cyber Risk Governance

The final rules on the involvement of management in cyber risk have not substantially changed from the draft. There is a need to state the expertise of the person responsible for cyber risk management.

Action: Create a section under Items 1 and label it Cyber Risk Manager(s)

For more information on items in the annual report on form 10-k see here.