Entities in the energy industry are subject to a vast amount of reporting regulations. Earlier this year, the Securities and Exchange Commission (SEC) finalized rules regarding the disclosure of cybersecurity attacks, adding another layer of reporting for energy companies. However, prior to that, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which established further reporting requirements specific to certain covered entities, but also created a new council tasked with harmonizing federal incident reporting requirements.
THE SEC’S NEW RULES ON CYBERSECURITY DISCLOSURES
On July 26, 2023, the SEC adopted final rules and amendments (the Final Rules) for mandating disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting. Effective September 5, 2023, the rules require real-time disclosure of material cybersecurity incidents, as well as ongoing disclosure regarding a company’s cybersecurity risk management, strategy, and governance, as well as board of directors’ cybersecurity expertise.
The rules were adopted to address the increasing prevalence of cyber incidents, as well as companies’…
