The new rules apply to all registrants reporting under the 1934 Securities Exchange Act and include comparable requirements for foreign private issuers (FPIs).

All registrants are subject to the updated disclosures for risk management, strategy, and governance, with the new rules applying for fiscal years ending on or after December 15, 2023. For larger registrants, the material incident disclosure requirements come into effect on December 18, 2023; smaller reporting companies have a 180-day deferral (essentially an acknowledgment that smaller organizations will have more work to do to be able to meet the new requirements).

The SEC defines an incident as, “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

The SEC states that determination of materiality should be based on federal securities law materiality; notably, this means that the determination extends well beyond the technical details of an incident.

The SEC requires that “an Item 1.05 Form 8-K must be filed within four business days of determining an incident was material “and that “registrants must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material”— making timely and accurate information critical to the materiality assessment process. Filing may be delayed “if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.” Additionally, “registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.”