The Securities and Exchange Commission (SEC) finalized cybersecurity rules this week for public companies centered on disclosure requirements for material cybersecurity incidents, as well as periodic reporting regarding cybersecurity risk management, strategy, and governance. Originally proposed in March 2022, these extensive rules received significant industry feedback and more than 150 comment letters during the last year.
In a statement following the adoption of the rules, SEC Chair Gary Gensler remarked, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” Gensler continued, “Many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
New disclosure requirements
The new rules require companies to disclose in a Form 8-K any cybersecurity incident they…
