It’s official. Last week, the SEC issued rules requiring public companies to report what the agency calls “material” cybersecurity incidents within four business days. Baker Donelson’s Alisa Chestler breaks down what’s in the new rules and explores what companies should do from here.
On July 26, the SEC passed rules regarding reporting “material cybersecurity incidents” within four business days of the determination, which will surely vex companies for years to come. Public companies and their third-party vendors, including private companies, will feel the effects of these rules in their contracts and negotiations.
Let’s get into what happened and what companies should do now.
Overview of the rules
Once the regulations are published in the Federal Register, which we expect shortly, public companies will have 30 days to comply. Under the regulations, the SEC will require public companies to report material incidents on a Form 8-K within four business days of making such a determination. Further, companies will need to provide material information regarding their cybersecurity risk management, strategy and governance on an annual basis.
Below are some initial thoughts to consider in understanding the issues related…
