This is an automated archive.

The original was posted on /r/cybersecurity by /u/NippleRingNora on 2023-08-15 13:27:40+00:00.


Looking for some more information on the rule changes the SEC made regarding cybersecurity disclosures. I can’t find anything about what the previous rules on disclosures were.

It appears that such disclosures were already required since 2011. If so, what’s the real change? Is it a template form for disclosures (Form 8-K Item 1.05)? Btw, I can only find form 8-K without a 1.05, the old version. Anyone know where the new one can be found?

There appears to be a *new* requirement for annually discussing a firm’s information security risk management along with financial status within the 10-K and 10-Q filings. These seem very general and even use the term, “if any”, when talking about reporting management of cybersecurity threats. I envision companies will readily utilize the, “We take information security very seriously and use state of the art cybersecurity threat management processes,” phrasing ad nauseam.

Also, when a company files the future form 8-K with the SEC (generally 4 days after a material incident has been confirmed), is that immediately public? Or does the SEC hold onto it for a certain period of time before publicizing it?