This summer, the Securities and Exchange Commission (SEC) adopted rules to enhance and standardize disclosures by public companies regarding cybersecurity risk management, strategy, governance, and incidents.
The rules will impose a number of new requirements, including disclosures regarding:
- Material cybersecurity incidents, which must be made within four (4) business days – a tight timeline that will compel subject companies to efficiently conduct their preliminary investigation of cybersecurity incidents so that they are prepared to make disclosures regarding the nature, scope, and timing of such incidents, as well as their material or reasonably likely impact on the company. Subject companies will also need to provide updates regarding previously reported cybersecurity incidents in their periodic reports.
- The subject company’s policies and procedures to identify and manage cybersecurity risks. In advance of making such disclosures, many organizations will likely need to enhance their cybersecurity safeguards and practices and/or to ensure those safeguards and practices are adequately documented in policies and procedures.
- The roles played by (a) management in implementing cybersecurity policies and procedures and (b) the board of directors in overseeing the organization’s cybersecurity program. For some companies, these requirements will likely prompt an assessment of whether management and the board are sufficiently involved in implementing and overseeing the company’s cybersecurity program and have the requisite expertise to do so effectively.
The new rules were published on August 4, 2023, and took effect September 5, 2023. Incident-specific disclosures will be required either 90 days after the rule’s August 4, 2023 publication date or December 18, 2023, whichever is later, though smaller companies will have an additional 180 days before they are required to begin providing disclosures. Companies whose fiscal years end on or after December 15, 2023, will be required to provide the annual disclosures beginning with their 2023 Form 10-K or 20-F.
If you have questions about the SEC Cybersecurity Disclosures or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.