New cybersecurity disclosure rules from the SEC take effect today. They oblige listed companies to disclose “material” cybersecurity incidents within four days and detail oversight of cyber risk by boards.
Initial proposals that would have forced companies to specifically detail board cybersecurity expertise and who their CISO reports to were dropped to “streamline” the rules amid an industry backlash.
Yet the rules, an evolution of the SEC’s 2018 guidance, represent a real shift in breach disclosure requirements, especially for public companies. (They come amid growing focus from regulators on cyber risk, with enforcement of Europe’s “DORA” also due to be effective January 2025.)
The new SEC Rules: In brief
On Item 1.05 of Form 8-K firms need to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing. This is due four business days after a registrant determines that a cybersecurity incident is material. It can be…
