SEC Cybersecurity Disclosure Rules (2023)
¿Qué es SEC Cybersecurity Disclosure Rules (2023)?
SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
● Ejemplos
- 01
A retailer files an 8-K Item 1.05 within four business days of determining that a ransomware incident is material, then files amendments as scope is clarified.
- 02
A 10-K Item 106 section describes the board's quarterly cybersecurity oversight cadence, the CISO's reporting line, and the use of an external IR retainer.
● Preguntas frecuentes
¿Qué es SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K. Pertenece a la categoría de Cumplimiento y marcos en ciberseguridad.
¿Qué significa SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
¿Cómo funciona SEC Cybersecurity Disclosure Rules (2023)?
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
¿Cómo defenderse de SEC Cybersecurity Disclosure Rules (2023)?
Las defensas contra SEC Cybersecurity Disclosure Rules (2023) combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para SEC Cybersecurity Disclosure Rules (2023)?
Nombres alternativos comunes: SEC 8-K Item 1.05, SEC cyber disclosure rule.
● Términos relacionados
- compliance№ 226
Cumplimiento normativo
Disciplina que asegura el cumplimiento de requisitos legales, regulatorios, contractuales e internos de seguridad mediante controles documentados, evidencia y evaluación continua.
- forensics-ir№ 582
Respuesta a incidentes
Proceso organizado para preparar, detectar, analizar, contener, erradicar y recuperarse de incidentes de ciberseguridad, capturando además lecciones aprendidas.
- attacks№ 304
Brecha de datos
Incidente de seguridad confirmado en el que una parte no autorizada accede, extrae o divulga informacion sensible, protegida o confidencial.
- compliance№ 1264
Gestión de riesgos de terceros (TPRM)
Disciplina integral de identificar, evaluar, contratar, monitorizar y desvincular terceros para que los riesgos ciber, operativos y de cumplimiento que aportan se mantengan dentro del apetito.
- compliance№ 290
Seguro cibernetico
Producto de seguro especializado que transfiere a una aseguradora el impacto financiero de incidentes cibernicos: respuesta, interrupcion del negocio y responsabilidad.
- compliance№ 1043
Gestión de riesgos
Proceso coordinado de identificar, analizar, evaluar, tratar, monitorizar y comunicar los riesgos para mantenerlos dentro de la tolerancia definida por la organización.