In the past few years, there have been numerous cybersecurity breaches and incidents across the radio industry. Even larger corporations like Skyview, Cox, Marketron, and Townsquare haven’t been immune to ransomware and other attacks. Now the Securities and Exchange Commission is changing the way that companies report those attacks.
On Wednesday, the SEC enacted new rules obliging registrants to disclose significant cybersecurity incidents they encounter, along with annual information about their cybersecurity risk management, strategy, and governance. The regulations also apply to foreign private issuers, mandating similar disclosures.
As SEC Chair Gary Gensler puts it, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.” Gensler opined that the new rules, which aim for consistent, comparable, and decision-useful disclosures, would benefit both companies and investors by ensuring the revelation of essential cybersecurity information.
As per the new rules, registrants will need to report any cybersecurity incident they determine to be significant on Form 8-K Item 1.05, describing the occurrence’s nature, scope, and timing, as well as its significant impact or probable significant impact on the registrant. This Form 8-K must typically be submitted four business days after a registrant determines the cybersecurity incident to be significant. The disclosure may be postponed if the U.S. Attorney General deems immediate revelation would pose a considerable risk to national security or public safety.
The rules also introduce Regulation S-K Item 106, compelling registrants to outline their protocols for assessing, identifying, and managing substantial risks from cybersecurity threats. This regulation also necessitates a description of the board of directors’ supervision of cybersecurity risks and management’s function and expertise in handling these risks. These disclosures will need to be included in the registrant’s annual report on Form 10-K.
Similar disclosure requirements will be imposed on foreign private issuers via Form 6-K for significant cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
The rules will take effect 30 days after the publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due, starting with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning 90 days after the date of publication in the Federal Register or December 18, 2023, whichever comes later.
