In today’s digital age, cybersecurity has become a critical concern for businesses of all sizes. Recognizing the growing importance of cybersecurity disclosures, the Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-K, aiming to enhance transparency and standardization in reporting cybersecurity risks and incidents.

Key Updates and What They Mean for Registered Investment Advisers

Here’s a breakdown of the key updates and what they mean for RIA’s.

Enhanced Cybersecurity Disclosures

The SEC adopted amendments to improve and standardize how public companies report on cybersecurity risks and incidents.

Risk Management and Strategy (Regulation S-K Item 106(b))

Companies must detail their processes for assessing and managing cybersecurity risks. They must also disclose if these risks have materially affected, or are likely to affect, their business strategy or financial condition.

Governance (Regulation S-K Item 106(c))

Companies must describe how their boards oversee cybersecurity risks and management’s role in assessing and managing these risks.

Material Cybersecurity Incidents (Form 8-K Item 1.05)

Companies must promptly disclose any material cybersecurity incidents they experience, including the nature, scope, timing, and impact on the company’s financial condition. They have 4 (four) business days to file this disclosure, with potential delays allowed for national security reasons.

Foreign Private Issuers (Forms 20-F and 6-K)

Foreign private issuers must also disclose information about cybersecurity governance and material incidents. They must describe board oversight and management’s role in handling cybersecurity risks. Additionally, they must report material incidents disclosed in foreign jurisdictions, to stock exchanges, or to shareholders on Form 6-K.

In summary, the SEC’s adoption of amendments to Regulation S-K represents a significant step forward in bolstering cybersecurity disclosure standards. By requiring companies to provide comprehensive insights into their cybersecurity risk management processes, governance structures, and material incidents, these regulations aim to enhance transparency, accountability, and investor confidence in an increasingly digital business landscape. As cybersecurity threats continue to evolve, staying vigilant and proactive in cybersecurity disclosures is paramount for companies seeking to safeguard their stakeholders’ interests.