Recently, in advance of the effective date (December 18, 2023), the Director of the SEC’s Division of Corporation Finance provided additional guidance regarding the final rules relating to cybersecurity incident disclosure and cybersecurity risk management, strategy and governance. The Director noted his remarks were intended to “clear up potential misconceptions.” The comments reiterate the observations in the adopting release that the final rules are intended to improve the consistency of disclosure practices among issuers and to promote comparability of disclosures. In commenting on the requirement relating to cybersecurity incidents, the Director notes that the final requirement is “focused on the material impacts of a material cybersecurity incident.” He also noted that the final rules are narrower than the original proposal and reflect the SEC’s effort to balance the need for disclosure with the risks associated with disclosing information that might provide a road map for threat actors.
The Director also underscored the importance of the materiality standard—referring to it as a touchstone of securities laws. He noted that the SEC in the…
