[co-author: Tanvi Chopra]
On July 26, 2023, the Securities Exchange Commission (SEC) adopted a final rule intended to augment and standardize disclosures regarding cybersecurity risk management, governance, and incident reporting. The new rule imposes additional disclosure requirements for U.S. reporting issuers and foreign private issuers, including all companies with stock traded on U.S. exchanges (public companies). This post focuses on three of the key actions public companies must take under the new rule:
- Incidents – Disclose material cybersecurity incidents on Form 8-K within four business days of determining the incident is material, and disclose any material updates on an ongoing basis.
- Risk management – Disclose the processes for assessing, identifying, and managing material risks from cybersecurity threats in an annual report on Form 10-K.
- Governance – Disclose the board of directors’ oversight and management’s role in assessing and managing material cybersecurity risk in an annual report on Form 10-K.
- The SEC adopted analogous disclosure requirements for foreign private issuers to be disclosed on Forms 6-K and 20-F.
Compliance Dates
The final rule…
