Overview
In 2023, the U.S. Securities and Exchange Commission (“SEC”) issued its now-fully implemented Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule. The Rule reflects the reality that cybersecurity is now a major operational issue for companies and seeks to standardize the disclosures of cyber incidents and overall cyber risk management for publicly traded companies. It also marks a significant expansion of what information about their cybersecurity posture those companies must make public through their annual disclosures as well as in one-off 8-K disclosures in the event of a data security incident.
The Rule creates a few major requirements:
- Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks: Companies must proactively include information about their processes for assessing, identifying and managing material risks from cybersecurity threats in their annual disclosures. Additionally, companies need to disclose if risks from cybersecurity threats, including those stemming from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect…
