The Securities and Exchange Commission has adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. The rules potentially will affect automakers’ use of customer data regarding how they gather it and keep it secure. Data breaches are an ongoing problem in the auto industry that will now become public. (AutoInformed: Hack Attacks – Connected Vehicle Cyber Security Lags; Do No Harm – Center for Auto Safety Drafts AV Bill of Rights; FBI with a Tesla Employee’s Help Stops Malware Attack)
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
About Ken Zino
Ken Zino, editor and publisher of AutoInformed, is a versatile auto industry participant with global experience spanning decades in print and broadcast journalism, as well as social media. He has automobile testing, marketing, public relations and communications experience. He is past president of The International Motor Press Assn, the Detroit Press Club, founding member and first President of the Automotive Press Assn. He is a member of APA, IMPA and the Midwest Automotive Press Assn.
He also brings an historical perspective while citing their contemporary relevance of the work of legendary auto writers such as Ken Purdy, Jim Dunne or Jerry Flint, or writers such as Red Smith, Mark Twain, Thomas Jefferson – all to bring perspective to a chaotic automotive universe.
Above all, decades after he first drove a car, Zino still revels in the sound of the exhaust as the throttle is blipped during a downshift and the driver’s rush that occurs when the entry, apex and exit points of a turn are smoothly and swiftly crossed. It’s the beginning of a perfect lap.
AutoInformed has an editorial philosophy that loves transportation machines of all kinds while promoting critical thinking about the future use of cars and trucks.
Zino builds AutoInformed from his background in automotive journalism starting at Hearst Publishing in New York City on Motor and MotorTech Magazines and car testing where he reviewed hundreds of vehicles in his decade-long stint as the Detroit Bureau Chief of Road & Track magazine. Zino has also worked in Europe, and Asia – now the largest automotive market in the world with China at its center.
SEC Issues Rules on Cybersecurity Risks
The Securities and Exchange Commission has adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. The rules potentially will affect automakers’ use of customer data regarding how they gather it and keep it secure. Data breaches are an ongoing problem in the auto industry that will now become public. (AutoInformed: Hack Attacks – Connected Vehicle Cyber Security Lags; Do No Harm – Center for Auto Safety Drafts AV Bill of Rights; FBI with a Tesla Employee’s Help Stops Malware Attack)
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
About Ken Zino
Ken Zino, editor and publisher of AutoInformed, is a versatile auto industry participant with global experience spanning decades in print and broadcast journalism, as well as social media. He has automobile testing, marketing, public relations and communications experience. He is past president of The International Motor Press Assn, the Detroit Press Club, founding member and first President of the Automotive Press Assn. He is a member of APA, IMPA and the Midwest Automotive Press Assn. He also brings an historical perspective while citing their contemporary relevance of the work of legendary auto writers such as Ken Purdy, Jim Dunne or Jerry Flint, or writers such as Red Smith, Mark Twain, Thomas Jefferson – all to bring perspective to a chaotic automotive universe. Above all, decades after he first drove a car, Zino still revels in the sound of the exhaust as the throttle is blipped during a downshift and the driver’s rush that occurs when the entry, apex and exit points of a turn are smoothly and swiftly crossed. It’s the beginning of a perfect lap. AutoInformed has an editorial philosophy that loves transportation machines of all kinds while promoting critical thinking about the future use of cars and trucks. Zino builds AutoInformed from his background in automotive journalism starting at Hearst Publishing in New York City on Motor and MotorTech Magazines and car testing where he reviewed hundreds of vehicles in his decade-long stint as the Detroit Bureau Chief of Road & Track magazine. Zino has also worked in Europe, and Asia – now the largest automotive market in the world with China at its center.