The SEC’s proposed and final cyber disclosure rules are animated by the SEC’s belief that investors need a lot more information about cyber risks and cyber breaches than what they have been getting.
It’s worth reading the final rules release, which is well written. While many of us will not agree with the SEC’s reasoning in all cases, it’s very helpful that the SEC articulated its thinking so clearly.
In a piece of good news, the SEC took some suggestions on its new cyber disclosure rules from the more than 150 comment letters it received.
Nevertheless, the final rules remain a serious and prescriptive expansion of the prior disclosure regimes. Numerous law firms have published excellent memoranda that detail the new rules, including Cooley, Fenwick, Gibson, Goodwin, Jenner, Skadden, and Wilson Sonsini.
Details are important. This article, however, will focus on framing the big-picture items that public company directors and officers (including of foreign filers) need to understand to manage and oversee the new disclosure requirements.
I will also discuss D&O liability risk concerns and steps to take to mitigate these risks.
