Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

SEC finalizes cybersecurity rules

defining issues | may 2024

KPMG summarizes the SEC’s recent cybersecurity rules and subsequent clarifications.

decorative
Download PDF
Share

May 21, 2024 Update: Erik Gerding, Director of the Division of Corporation Finance, issued a statement clarifying the disclosure requirements for cybersecurity incidents. The statement emphasized that registrants must disclose material cybersecurity incidents under Item 1.05 of Form 8-K. A registrant also may choose to disclose incidents for which it has not yet made a materiality determination or that are determined to be immaterial, but they should do so under a different item of Form 8-K, such as Item 8.01.

The SEC does not want to discourage voluntary reporting of cybersecurity incidents, but rather aims to prevent investor confusion and ensure investors can distinguish between material and immaterial cybersecurity incidents.  

The statement also highlights the importance of considering qualitative factors, alongside quantitative factors, when assessing the impact of a cybersecurity incident.

The final rules became effective September 5, 2023 and require disclosure of material cybersecurity incidents on Form 8-K Item 1.05. The rules also require disclosure on Form 10-K of a registrant’s processes to assess, identify and manage material risks from cybersecurity threats - including management’s role in assessing and managing material risks from cybersecurity threats-  as well as the board of directors’ oversight. 

On December 12, 2023, the SEC staff released Compliance & Disclosure Interpretations (C&DIs) providing guidance about the deadlines for a registrant to file an Item 1.05 Form 8-K when the registrant has requested the Attorney General authorize the deferral of the filing because disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety.

On December 14, 2023, the SEC staff released a further C&DI to clarify that consulting with the Department of Justice regarding the availability of such a delay does not necessarily result in the determination that the incident is material.

Applicability

Release Nos. 33-11216; 34-97989; File No. S7-09-22

  • Public companies subject to the Securities Exchange Act of 1934 – excluding certain Canadian foreign private issuers and asset-backed securities issuers.

Relevant dates

The final rules became effective September 5, 2023, and require the following:

  • All registrants must provide disclosures in Regulation S-K Item 106 and comparable items in Form 20-F beginning with annual reports for fiscal years ending on or after December 15, 2023.
  • All registrants – other than smaller reporting companies – must begin complying with the incident disclosure requirements in Form 8-K Item 1.05 and in Form 6-K on December 18, 2023.
  • Smaller reporting companies must begin complying with Form 8-K Item 1.05 on June 15, 2024.

Inline XBRL compliance begins one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:

  • For Regulation S-K Item 106 and Form 20-F, all registrants must begin tagging disclosures in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024.
  • For Form 8-K Item 1.05 and Form 6-K, all registrants must begin tagging disclosures in Inline XBRL beginning December 18, 2024.

Key impacts

The SEC issued a  Fact Sheet  summarizing the key provisions of the final rules. The cybersecurity disclosure guidance issued by the SEC staff in 2011 and by the Commission in 2018 supplement the final rules.

The Director of the Division of Corporation Finance released a statement on May 21, 2024 to provide clarification and guidance on how to disclose material and immaterial cybersecurity incidents on Form 8-K to prevent investor confusion.  

Material cybersecurity incidents to be reported on Form 8-K

Under new Item 1.05 of Form 8-K registrants must disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.

This information includes:

  • A description of the material aspects of the nature, scope, and timing of the incident.
  • The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

A registrant may delay providing the disclosures for an initial period of 30 days at the determination of the US Attorney General, if it is determined that the disclosures pose a substantial risk to national security or public safety. Additional requests for delay may be acceptable in certain circumstances. 

Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.

In the May 2024 statement, SEC Corp Fin Director Erik Gerding emphasized a registrant should not disclose under Item 1.05 of Form 8-K a cybersecurity incident that is not yet determined to be material or is determined to be immaterial. Instead, a registrant may voluntarily disclose those incidents under a different item of Form 8-K, such as Item 8.01. In cases where a registrant initially discloses an immaterial incident or one for which materiality has not been determined under Item 8.01 of Form 8-K, but subsequently determines it to be material, the registrant should file an Item 1.05 Form 8-K within four business days of the subsequent materiality determination.

When a cybersecurity incident is so significant that a registrant determines the incident to be material, even though the registrant has not yet determined its impact (or reasonably likely impact), the registrant should disclose the incident in an Item 1.05 Form 8-K. In that case, the registrant includes a statement that it has not yet determined the impact (or reasonably likely impact) of the incident and amends the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing should provide investors with necessary information about the nature, scope, and timing of the incident, even if the impact (or reasonably likely impact) is not yet determined.

The statement also emphasizes the importance of considering qualitative factors when assessing the impact of a cybersecurity incident. Registrants should not limit their materiality assessment to the impact on financial condition and results of operations but should also consider factors such as harm to reputation, customer or vendor relationships, competitiveness, and the possibility of litigation or regulatory investigations.

Overall, the Director’s statement aims to provide clarity and guidance to registrants on the disclosure requirements for cybersecurity incidents. It is not intended to discourage registrants from voluntarily disclosing cybersecurity incidents for which they have not yet determined materiality or incidents they consider immaterial. Such voluntary disclosures are recognized as valuable to investors, the marketplace, and registrants. However, registrants are encouraged to make these voluntary disclosures in a manner that does not confuse investors or dilute the value of disclosures regarding material cybersecurity incidents.

Cybersecurity risk management, strategy and governance disclosures

Risk management and strategy

Registrants must provide in their Form 10-K a description of their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, including whether:

  • The described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes, and how. 
  • The registrant engages assessors, consultants, auditors or other third parties in connection with such processes. 
  • The registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. 

Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant – including its business strategy, results of operations, or financial condition and if so, how. 

Governance

The final rules require disclosures about the board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. 

Foreign Private Issuers

The final rules align incident reporting and periodic disclosures of FPIs on Forms 6-K and 20-F with those required for domestic registrants.

Structured data requirements

The final rules require registrants to report and disclose cybersecurity information in Inline XBRL format.  

Compliance with the structured data requirements is delayed for one year beyond initial compliance with the related disclosure requirement.  

C&DIs

In December 2023, the SEC staff issued four new C&DIs (Questions 104B.01 to 104B.04) to provide implementation guidance about the deadlines for allowable delays for a registrant to file its Form 8-K when the registrant has submitted a request for the Attorney General to authorize the deferral of the filing because disclosure of the incident would pose a substantial risk to national security or public safety.

The SEC staff also clarified that:

  • consulting with the Attorney General about the possibility of a delay does not necessarily result in a determination that the incident was material; and
  • registrants are not precluded from consulting with the Attorney General, or other law enforcement or national security agencies, at any point regarding an incident.

Download the document:

SEC issues rules

Enhancing cybersecurity disclosures

Download PDF

Accounting Research Online

Access our accounting research website for additional resources for your financial reporting needs.

Access ARO

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline