The Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the “Cybersecurity Rules”), which the Securities and Exchange Commission (SEC) had adopted earlier this year, became effective on December 18. The Cybersecurity Rules codify the obligation of public companies to report material cybersecurity incidents and mandate the disclosure of cybersecurity governance practices and associated risks. Previously, reporting obligations allowed companies greater discretion, especially when determining whether a cybersecurity incident was “material” to the business.
Media headlines tend to obscure the material changes that Boards of Directors, Chief Information Security Officers (CISOs), and executive management teams may need to make in order to ensure compliance. It is currently unknown precisely what level of detail or documentation will satisfy the SEC that a registrant has complied with the Cybersecurity Rules. Nonetheless, it’s abundantly clear that the Boards of Directors and executive management personnel of public companies will be held accountable, so careful preparation is critical.
What Companies Are Subject to…
