On Dec. 14, 2023, Erik Gerding, director of the U.S. Securities Exchange Commission’s (SEC) Division of Corporation Finance, made a statement on cybersecurity disclosure in connection with SEC cybersecurity rules adopted in July 2023. This statement was issued right before compliance dates were coming up for public companies, including foreign private issuers, under these rules. Beginning on Dec. 18, 2023, all public companies (other than smaller reporting companies) are required to disclose material cybersecurity incidents in Item 1.05 of a Current Report on Form 8-K. Smaller reporting companies must begin complying with Item 1.05 of Form 8-K on June 15, 2024. A foreign private issuer is required to file Form 6-K with respect to material cybersecurity incidents that it discloses in a jurisdiction in which it is organized, to any stock exchange on which its securities are traded, or to its security holders. In addition, all public companies must disclose annually information regarding cybersecurity risk management, strategy, and governance in an annual report on Form 10-K or Form 20-F (for foreign private issuers) for the fiscal years ending on or after Dec. 15, 2023.

Cybersecurity is not a novel issue for the SEC. In 2011, the SEC Division of Corporation Finance, and in 2018 (Release No. 33-10459), the SEC, provided guidance on the application of disclosure rules that were then in effect to cybersecurity risks and incidents. However, the SEC’s Dec. 14, 2023, statement emphasized that its goal in adopting new cybersecurity rules was to “provide investors with the more timely, consistent, comparable, and decision-useful information they need to make informed investment and voting decisions.” This article focuses on how the SEC views materiality determinations for such disclosures, practical aspects of governance of cybersecurity matters, and implications of the SEC cybersecurity requirements for suppliers and vendors of public companies under the new SEC rule.

Materiality Determinations