CPA FAR Exam Changes-July 2025-Interim Financial Reporting-SEC Rule 33-11216-S-K by Darius Clark

#cpaexam
https://course.i75cpa.com/course/dari...
Cyberattacks like data breaches or ransomware attacks are becoming more common and can seriously affect a company’s performance and investor confidence.
The SEC wants investors to be better informed about:
Major cybersecurity breaches.
How companies manage cybersecurity risks.
What kind of governance (i.e., oversight) is in place.
The rule changes what companies must include in their Form 10-K and Form 10-Q, and also 8-K reports.
According to SEC Rule 33-11216, Companies must now include new information in their annual report, including:
How they manage cybersecurity risk.
Whether the board of directors oversees cybersecurity.
What role management plays in cybersecurity decisions.
Any processes or strategies used to reduce cyber risks.
This is meant to give investors a big-picture view of the company’s cyber resilience.
If a material cybersecurity incident occurs (e.g., a serious data breach), the company must report it quickly using a Form 8-K (within 4 business days of determining it's material).
This report must include:
What happened (briefly).
What part of the company is affected.
How it might impact the business.
Then, in the next 10-Q, the company must provide updates on any prior incidents.
When a company experiences a cybersecurity incident, it’s required to file a Form 8-K within 4 business days of determining that the incident is material.
BUT — if disclosing the incident would pose a substantial risk to national security or public safety, the company can delay the disclosure for 30 days only if:
The U.S. Attorney General (AG) agrees that disclosure would pose such a risk. The AG provides written notice supporting the delay.
The SEC rule requires Inline XBRL tagging for structured, machine-readable disclosures”
SEC Rule 33-11216 requires public companies to format their cybersecurity disclosures using Inline XBRL (iXBRL).This means the disclosures must be:
Human-readable (you see the text in a normal 10-K or 10-Q)
Machine-readable (behind the scenes, computers can extract the tagged data)
Unlike traditional XBRL (which was a separate file), Inline XBRL embeds the data directly inside the HTML filing, so there’s no separate upload.
Regulation S-K Item 106 is the section of Rule 33-11216 that tells companies what cybersecurity disclosures must go into their regular filings. It is the heart of the reporting framework created by SEC Rule 33-11216.