As annual reporting season begins, it is important to take a fresh look at the company’s governance and incident response processes and develop risk-informed and compliant disclosures. While many companies are understandably focused on the new requirement for cybersecurity risk management-related disclosures under Item 106 of Regulation S-K (Risk Management, Strategy, and Governance Disclosure), companies should revisit all of their cybersecurity-related disclosures ahead of filing their annual reports with the U.S. Securities and Exchange Commission (SEC). This article is intended to be a practical guide to begin assessing whether any additional or revised disclosure is required.
Why It Is Important to Revisit All Cybersecurity Disclosures
The SEC’s Division of Enforcement has been, and we expect it will continue to be, focused on cybersecurity-related investigations and enforcement actions. These enforcement actions indicate that, particularly if a company experiences a material cybersecurity incident, the SEC will likely carefully review and compare the company’s SEC filings and other public statements to assess the accuracy and completeness of the company’s…
