New cybersecurity disclosure requirements mandated by the U.S. Securities and Exchange will go into force in coming days, requiring companies to disclose cybersecurity incidents, with some exceptions, within four days of their occurrence.
There are two components to the disclosure rules. The first is mandatory cybersecurity incident reporting of “material” incidents. The disclosure of incidents would be via an 8-K form and must be reported within four business days of the incident. The second component requires companies to disclose their policies to manage cybersecurity risk, including providing updates on previously reported material cybersecurity incidents.
The requirements include describing the nature and scope of the incident, the impact on the company’s operations and any remedial actions taken. Additionally, companies must disclose their cybersecurity risk management, strategy and governance in annual reports. Companies are required to describe their policies and procedures to identify and manage cybersecurity risks, the role of the board of directors in overseeing these risks and management’s role in implementing cybersecurity policies and…
