[author: Bill McLaughlin*]
CEP Magazine (November 2024)
The U.S. Securities and Exchange Commission (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules officially went into effect in December 2023.[1] Aimed at improving cybersecurity risk management at public companies, the rules intended to protect investors by enforcing operational and strategic transparency. Public companies must now disclose major cybersecurity incidents and provide annual updates on how they approach cybersecurity resilience and governance.
Yet, almost one year later, many organizations are still unclear on core aspects of the SEC’s cybersecurity and disclosure rules. Compliance professionals especially are overwhelmed—they have tremendous responsibility when it comes to ensuring companies fulfill their regulatory obligations on an ongoing basis and in the event of an incident.
The goal of this article is to clarify what the SEC now requires of public companies when it comes to cybersecurity. Summarized below are best practices compliance leaders can implement today to bolster their organization’s ability to prevent, address, and grow from cybersecurity…
