The rules on reporting cybersecurity risks and incidents pose many challenges for companies. Those challenges can be even more difficult when the cybersecurity incident affects third-party systems. With no exceptions for third-party cybersecurity incidents under the new cybersecurity reporting regulations, companies should take proactive steps to assess and respond appropriately to third-party cybersecurity incidents.
The SEC’s New Cyber Risk Regulations
In July 2023, the U.S. Securities and Exchange Commission (“SEC”) promulgated new regulations (“Cyber Risk Regulations”) that, among other things, require public companies to report cybersecurity incidents within four business days of a materiality determination via Item 1.05(a) on Form 8-K. See SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations, from our colleagues at Privacy World.
The Cyber Risk Regulations require companies to evaluate and report “material” cybersecurity risks and incidents in a timely and consistent manner. The SEC has refused to provide a cybersecurity-specific definition of materiality, opting instead to lean on the materiality standard articulated by the…