Earlier this summer, the Securities and Exchange Commission (SEC) published new guidance intended to help public companies comply with the rule it finalized last year requiring disclosure of material cybersecurity events to investors. Here is what public company risk professionals need to know about the new guidance.
Five hypothetical questions
In July 2023, the Securities and Exchange Commission (SEC) finalized its rule on public company cybersecurity risk management, governance, and incident reporting (opens a new window). Under the finalized rule, U.S. exchange-listed companies are required to disclose — within four days — any material cybersecurity incidents. This includes providing information about their nature, scope, timing, and material impact or likelihood of material impact.
Under the rule, public companies are also required to disclose, on an annual basis, information about their risk management strategies. Companies must report on their internal processes and governance structures for assessing, identifying, and managing material cybersecurity threats.
On June 24, 2024, the SEC provided additional guidance on companies’ specific responsibilities under the rule….
