As you know, the SEC adopted final rules on cybersecurity disclosure on July 26, with compliance dates tied to publication in the Federal Register. (See this PubCo post.) Those rules were published on August 4 with compliance dates spelled out in the published release.
As stated in the Federal Register:
“The final rules are effective September 5, 2023. With respect to Item 106 of Regulation S–K and item 16K of Form 20–F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8–K and in Form 6–K, all registrants other than smaller reporting companies must begin complying on DECEMBER 18, 2023. As discussed above, smaller reporting companies are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8–K, on June 15, 2024.
With respect to compliance with the structured data requirements, as noted above, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
- For Item 106 of Regulation S–K and item 16K of Form 20–F, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024; and
- For Item 1.05 of Form 8–K and Form 6–K all registrants must begin tagging responsive disclosure in Inline XBRL beginning on DECEMBER 18, 2024.”