On December 14, 2023, Erik Gerding, Director, Division of Corporation Finance at the Securities and Exchange Commission (“SEC”) gave a speech on the SEC’s final rules (the “Final Rule(s)”) regarding cybersecurity risk management, strategy, governance and incident reporting for public companies. The Final Rules require public companies to disclose material cybersecurity incidents they experience on a near real-time basis on Form 8-K and material information regarding their cybersecurity risk management, strategy, and governance on an annual basis in Form 10-K. The Final Rules are currently effective with compliance with the material cybersecurity incident disclosure requirements generally required after December 18, 2023.
Mr. Gerding explained that the SEC staff considered the comment letters it received related to the proposed rule as it evaluated what changes to make in the Final Rule, all with the goal of developing rules that advance the SEC’s aim to protect investors and facilitate capital formation. Mr. Gerding’s speech went on to address the following topics:
- An overview of the Final Rule and its rationale;
- The cybersecurity incident disclosure…
