As companies face the onslaught of increasingly sophisticated cyber-attacks that have intensified with the rise of the post-pandemic remote workforce, heavy reliance on technology and third-party vendors, and the disruptive geopolitical landscape, they are now required to publicly report cybersecurity incidents within four business days under the SEC’s new cybersecurity disclosure rule. Failure to do so may expose companies to liability, regulatory enforcement actions and class action litigation.
Overview
In March 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules mandating that public companies disclose cybersecurity risk management, governance and material cybersecurity incidents. The final rules went into effect September 5, 2023. As of December 18, 2023, companies must disclose material cybersecurity incidents in Form 8-K Item 1.05 within four (4) days (Cybersecurity Incident Disclosure Rule). In addition, companies must provide cybersecurity risk management disclosures in Regulation S-K Item 106 beginning with annual reports for fiscal years ending on or after December 15, 2023 (Cybersecurity Risk Management Disclosure Rule).
The SEC’s…
