The final rules requiring disclosure of cybersecurity breaches may push public companies to do a better job at managing cyber risks, but it will also require them to judge the material effects of a cyberattack carefully.
Adopted despite two commissioners dissenting on July 26, the cybersecurity risk management, strategy, and governance rules are meant to make company-reported information on cyber incidents and cybersecurity risk management consistent and comparable.
The two-pronged rule covers 8-K reporting of material cybersecurity incidents within four business days of them being deemed “material,” and a new 10-K regulation that requires the issuer to report the process for identifying material cyber risks and management’s role and expertise in assessing and managing those arising from cybersecurity threats. (The disclosure must also describe the board of directors’ oversight of cybersecurity risks.)
“The key driver for regulators remains the undeniable fact that cyber events can have demonstrably material effects on major companies throughout the economy,” said Jamie Gerber, CFO of SimSpace, a provider of…
