The U.S. Securities Exchange Commission (SEC) recently adopted a final rule regarding cybersecurity risk management, governance, and incident reporting. The final rule went into effect on September 5, 2023, and disclosure requirements apply to fiscal years ending on or after December 15, 2023.
The new rule imposes additional disclosure requirements on U.S. reporting issuers and foreign private issuers, including all public companies. Under the new rule, public companies must:
- Disclose cyber incidents within four business days of determination the incident is material;
- Disclose the process for assessing, identifying and managing material risks from cybersecurity threats in an annual report on Form 10-K;
- Disclose the Board of Directors’ oversight and management role in assessing and managing material cybersecurity risk in an annual report on Form 10-K.
The focus on director oversight is significant. Moving forward, boards will need to be well-informed about the company’s risk management strategies and preparedness for addressing cyber incidents effectively.
What is a “material” cybersecurity incident?
The SEC cybersecurity rules describe a material incident…
