SEC’s new cybersecurity risk management, strategy, governance, and incident disclosure rules, which require increased transparency around cybersecurity incidents, have been in effect since December 18, 2023. For businesses that already harbor concerns over their cybersecurity protections, visibility, and incident response preparedness, meeting the SEC’s new incident reporting rules can be a serious challenge. Crucially, these rules impact private enterprises as well as publicly traded corporations, calling for organizations of all shapes and sizes to examine and potentially revise their practices.
Let’s take a deeper look at the SEC’s new rules, their implications, and the steps businesses can take to streamline reporting and successfully adapt to this change.
The new rules
Under the SEC’s new cybersecurity rules, public companies must report any material incident (defined as an incident that a reasonable investor would likely consider important) within four business days of becoming aware of it. Companies must also now file a report if a series of previously undisclosed incidents share a common factor that points to a material cybersecurity issue, such as…