Alert! New SEC Cybersecurity Regulations Go into Effect

Table of Contents

Bottom Line Up Front: If you use PaperCut, patch immediately to prevent ransomware and malicious exploitation. 

By: Denise Schroeder, CISO & Tom Mershon, Information Security Officer

In the ever-changing world of technology, staying ahead of the game is crucial for businesses to safeguard their assets and maintain customer trust. The Securities and Exchange Commission (SEC) recently adopted new rules concerning Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which was effective December 15, 2023. 

As an IT advisory organization, we understand the importance of complying with new regulations and the challenges that organizations face in adapting to these changes. We aim to shed light on new compliance requirements and provide support to businesses seeking to enhance their security posture.


      • Form 8-k Filing Requirement within Four Business Days following the discovery of a material incident.

      • Materiality Disclosure includes Qualitative and Quantitative components.

      • Annual Report Disclosure Requirements.


    Reporting Timeline:

    Publicly traded companies are expected to comply with the new SEC cybersecurity regulations according to specific timelines:

    Form 10-K and Form 20-F Disclosures: These disclosures, which pertain to cybersecurity risk management, strategy, and governance, are required in annual reports for fiscal years ending on or after December 15, 2023.

    Form 8-K and Form 6-K Disclosures: For disclosures related to material cybersecurity incidents, compliance begins on the later of 90 days after the rules’ publication in the Federal Register or December 18, 2023. However, smaller reporting companies are granted an additional 180 days for compliance with Form 8-K disclosure requirements.

    Structured Data Tagging: All registrants must begin tagging disclosures required under the final rules in Inline eXtensible Business Reporting Language (iXBRL) one year after initial compliance with the related disclosure requirement.

    Incident Reporting Requirements:

    Disclosure of Material Cybersecurity Incidents: Companies are required to disclose any cybersecurity incident that they determine to be material, including incidents that occur with third-party service providers. This involves describing the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the company, including its financial condition and results of operations. In addition to quantitively assessing the incident, the determination of materiality may be based on whether or not the information would impact to an investor’s decision or if investors would consider the information important.

    Time Frame for Reporting: The disclosure of a material cybersecurity incident on Form 8-K is generally due within four business days after the company determines that the incident is material. This means that once a company identifies a cybersecurity incident as material, it must act promptly to disclose it in compliance with the SEC requirements.

    Potential Delay in Disclosure: The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. In such cases, the timing of the disclosure can be adjusted based on the guidance from the Attorney General.

    – CyberNews April 27th, 2023

    Staying in front of these emerging threats can be overwhelming. We are here to help make it easy.

    About iLLÜM Advisors

    At iLLÜM we are passionate about helping our clients overcome IT challenges without simply throwing money at additional technology point solutions. We accomplish this by enabling their existing IT teams to deliver transformative solutions with velocity and improve cyber risk postures.

    Our team of senior IT leaders, project managers, and industry-leading IT management platform help organizations tackle their most pressing IT challenges. All our service options are provided on month-to-month subscriptions, so organizations of all sizes can receive expert IT guidance and project management on-demand, within budget, and without the costs associated with long-term commitments.

    Ready to Talk? Schedule a free 20 Minute Call! 

    Share this article with a friend

    Create an account to access this functionality.
    Discover the advantages