Corporate cybersecurity is now a non-negotiable priority. How companies prepare for and defend themselves against cyber intrusions has profound implications for their operations, reputation, and bottom line.
Historically, companies have underestimated the magnitude of cybersecurity risks—and in the view of the Security and Exchange Commission, consistently underreported the material losses caused by cyber intrusions.
Now things have changed. On July 26, the SEC took affirmative steps by adopting rules to ensure public companies aren’t just aware of their cybersecurity risks, but are actively managing them and promptly reporting what in practice will turn out to be the vast majority of incidents.
8-K Item 1.05 mandates companies disclose “material cybersecurity incidents” and “material aspects of the incident’s nature, scope, timing and impact on operations, revenues or stock price. New Regulation S-K Item 106 requires companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance.
In particular, the SEC now requires companies to describe their processes for “assessing, identifying, and managing material risks from…
