The SEC, investment banks and other stakeholders are increasingly focused on cybersecurity in IPO companies given the potential financial, legal and reputational risks. Cyber incidents, whether unintentional events or deliberate attacks on company networks, can have significant impacts on a company, including the loss or theft of valuable company data; the disclosure of sensitive company, customer or personal information; the destruction or corruption of important files; and the disruption of business operations. These impacts may lead to remediation costs, increased cybersecurity protection costs, lost revenue, litigation, regulatory investigations and reputational harm. As a result of these risks, companies need to carefully consider their disclosure obligations—both in the Form S-1 and in post-IPO filings with the SEC—relating to cybersecurity risks and related processes and practices.
In July 2023, the SEC adopted rule amendments to enhance disclosures about cybersecurity risk management, strategy, governance and incident reporting that have led to operational and governance changes for many public companies. The new rules represent a significant expansion…
