Background
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted final rules relating to enhanced cybersecurity disclosures, which became effective on September 5, 2023 (the “Final Rules”). Beginning in December 2023, the Final Rules will require public companies to promptly disclose material cybersecurity incidents and information regarding their cybersecurity risk management, strategy, and governance.This alert focuses on practical preparation tools for companies facing compliance with the requirements of the Final Rules.
Preparation for the Final Rules
In light of the changes brought by the Final Rules, public companies should consider the following actions:
- Review Existing Vendor Contracts. Companies should review protections in existing vendor contracts that address cybersecurity incidents and determine whether any contractual revisions or changes are needed to accommodate the Final Rules. Such revisions may include adding express provisions to address claims or liabilities arising from the required disclosures under new Item 1.05 of Form 8-K, which requires disclosure within four business days if a registrant experiences a “cybersecurity incident”…
