The SEC’s new cybersecurity rules require public companies to promptly disclose cybersecurity incidents and detail their risk management strategies. These rules mandate reporting significant cyber incidents within four business days and providing updates on previously reported incidents. They also require disclosures about risk management processes, impacts on business strategy, and board oversight roles. This article details the new disclosure regulations and emphasizes the importance of proactive strategies, like process documentation, framework adoption, gap assessments, and effective communication for compliance with the SEC’s new cybersecurity rule and improved cybersecurity risk management.
* * *
In the absence of authoritative disclosure requirements about cybersecurity risk, companies have disclosed information about cybersecurity incidents, management, and governance in varying levels of detail and formats. This has historically made it difficult for investors to access and interpret the information (Derryck Coleman, Nicole Hallas, and Madeleine Conley, “Trends in Cybersecurity Breach Disclosures,” Audit Analytics, 2022, p. 5). To address this issue, the SEC…
