Current reporting: Incident disclosure

The Final Rule adds Item 1.05 to Form 8-K to require disclosure of the nature, scope, and timing of a material cybersecurity incident, as well as the material impact or reasonably likely material impact of the incident on a registrant, including its financial condition and results of operations. Such disclosure on Form 8-K is required within four business days after a registrant determines that the incident is material.

The Form 8-K filing may be delayed, for a certain period, if the U.S. Attorney General determines that immediate disclosure of such incident would pose a substantial risk to national security or public safety. In such a situation, the Attorney General would need to notify the SEC about its determination in writing prior to the due date of filing Form 8-K.

A registrant is required to amend its initial Form 8-K to update its incident reporting by disclosing any further information that was either not determined or unavailable at the time of the initial Form 8-K filing within four business days of learning about the new information.

The Final Rule also amends Form 6-K to require a foreign private issuer to disclose information related to a material cybersecurity incident that was disclosed or required to be disclosed in foreign jurisdictions or to any stock exchange or security holders.