Following the release of much-anticipated cybersecurity reporting guidelines for public companies, questions may persist about specifics of the new rules. Attorney David M. Lynn of Morrison & Foerster dives into all the details.
In July, the SEC adopted long-awaited amendments to its rules to require disclosure about cybersecurity risk management, strategy, governance and incident reporting by public companies. The SEC’s rulemaking action capped off over a decade of SEC guidance and enforcement interest relating to the disclosure of cybersecurity risks and incidents.
These new disclosure rules will require companies to evaluate and adapt their disclosure controls and procedures, management processes and governance structures around cybersecurity to prepare for the new environment of transparency in this critical area.
Background of the SEC’s cybersecurity disclosure requirements
In March 2022, the SEC proposed amendments to its rules to require real-time disclosures of material cybersecurity incidents, as well as disclosures regarding cybersecurity risk management, strategy and governance. The SEC received over 150 comment letters in response to the proposal. The SEC’s rulemaking action followed a dozen years of guidance on cybersecurity disclosures from the SEC, as well as a focus on…
