What You Need to Know About the SEC’s New Data Privacy Law

It feels like ever since GDPR went live in 2018, there’s been a new data privacy law every other day. Recently, the Securities Exchange Commission (SEC) adopted a new data privacy law that will “standardize and enhance” cybersecurity incident and risk disclosures. Essentially, if you’re a public company based in the U.S. or a foreign-based private company, soon you’ll have to start filing cybersecurity disclosures with the SEC.

This new mandate can be an overload of information for your already overburdened legal team, so here’s the breakdown of what you need to know about the SEC’s new data privacy law.

Rundown of the SEC's new cybersecurity law

Under the SEC’s new data privacy law, domestic public companies and foreign private issuers (FPIs) have to file Form 8-K and Form 6-K, respectively, to report material cybersecurity incidents. Your disclosure will include details on the nature, timing, and scope of the incident, as well as how the incident impacted your company.

As soon as you learn that a cybersecurity incident is material — e.g. would an investor find this important? — you have four days to report to the SEC. In certain cases, the United States Governor General can postpone disclosures if they threaten national security and public safety. 

In addition to per-incident disclosures, the SEC also requires you to disclose your company’s cybersecurity risk management practices and strategies. This means reporting on how your company evaluates, recognizes, and regulates material risk, explaining your board’s role in risk oversight, and describing how management teams help to assess cyberthreats.

To make these annual disclosures, your public U.S.-based company will file Item 106 on Form 10-K. If you’re an FPI, you’ll file Item 16-K on Form 20-F. If the SEC’s new data privacy law applies to your company, you must file your first annual disclosure for the fiscal year ending on or after December 15.

FYIs for smaller reporting companies (SRCs)

In some cases, the SEC’s new data privacy law allows smaller reporting companies (SRCs) a bit more wiggle room in reporting cybersecurity incidents. 

For example, while non-SRCs have to comply with Form 8-K and Form 6-K disclosures by December 18, 2023, SRCs have an additional six months (June 15, 2024) to comply. 

Implementation of final rules

The final rules become effective 30 days after they’re published in the Federal Register. Remember — your company has to tag your disclosures in your Inline eXtensible Business Reporting Language (XBRL) to fulfill the structured data requirements. Thankfully, you won’t have to start tagging disclosures until December 2024, so you have plenty of time to prepare.

Takeaways

If you aren’t already, now is the time to get serious about cybersecurity. The SEC’s new data privacy law is essentially a forcing function to get companies to start thinking critically about cybersecurity and prepare for various potential outcomes.

Start preparing for these changes as soon as possible for the best chances of success. Establish internal control for managing cybersecurity incidents, and set up your technology and infrastructure to support your risk management processes. LinkSquares CLM can help you maintain compliance and act quickly in the face of a cybersecurity threat. See for yourself — contact us today.