SEC Cybersecurity Disclosure Rules (2023)
Was ist SEC Cybersecurity Disclosure Rules (2023)?
SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
● Beispiele
- 01
A retailer files an 8-K Item 1.05 within four business days of determining that a ransomware incident is material, then files amendments as scope is clarified.
- 02
A 10-K Item 106 section describes the board's quarterly cybersecurity oversight cadence, the CISO's reporting line, and the use of an external IR retainer.
● Häufige Fragen
Was ist SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K. Es gehört zur Kategorie Compliance und Frameworks der Cybersicherheit.
Was bedeutet SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
Wie funktioniert SEC Cybersecurity Disclosure Rules (2023)?
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
Wie schützt man sich gegen SEC Cybersecurity Disclosure Rules (2023)?
Schutzmaßnahmen gegen SEC Cybersecurity Disclosure Rules (2023) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für SEC Cybersecurity Disclosure Rules (2023)?
Übliche alternative Bezeichnungen: SEC 8-K Item 1.05, SEC cyber disclosure rule.
● Verwandte Begriffe
- compliance№ 226
Compliance
Die Disziplin, gesetzliche, regulatorische, vertragliche und interne Sicherheitsanforderungen durch dokumentierte Kontrollen, Nachweise und laufende Bewertung einzuhalten.
- forensics-ir№ 582
Incident Response
Strukturierter Prozess zur Vorbereitung, Erkennung, Analyse, Eindämmung, Bereinigung und Wiederherstellung nach Cyber-Sicherheitsvorfällen mit anschließender Auswertung.
- attacks№ 304
Datenschutzverletzung
Bestaetigter Sicherheitsvorfall, bei dem ein Unbefugter auf sensible, geschuetzte oder vertrauliche Informationen zugreift, sie entwendet oder offenlegt.
- compliance№ 1264
Drittparteien-Risikomanagement (TPRM)
End-to-End-Disziplin zur Identifikation, Bewertung, Vertragsgestaltung, Überwachung und Offboarding von Drittparteien, damit die durch sie eingebrachten Cyber-, Betriebs- und Compliance-Risiken im Appetit bleiben.
- compliance№ 290
Cyberversicherung
Spezielle Versicherungssparte, die die finanziellen Folgen von Cyber-Vorfallen — etwa Incident Response, Betriebsunterbrechung und Haftung — auf einen Versicherer ubertragt.
- compliance№ 1043
Risikomanagement
Der koordinierte Prozess zur Identifikation, Analyse, Bewertung, Behandlung, Überwachung und Kommunikation von Risiken, um sie innerhalb der von der Organisation definierten Toleranz zu halten.