On July 26, the Securities and Exchange Commission (“SEC”) finalized a much anticipated rule addressing cybersecurity risk management, strategy, governance, and incident disclosure. Public companies registered with the SEC will soon be required to report material cybersecurity incidents within four business days of determining the incident to be material and to make periodic disclosures regarding cybersecurity risk management, strategy, and governance.

The regulations, which were originally proposed in March 2022, come as a response to the increasing frequency and severity of cyber threats and attacks targeting public companies and concerns about inconsistent and underreporting of material incidents that pose significant risks to investors, stakeholders, and the overall financial market.

The SEC’s rule emphasizes the need for public companies to establish robust cybersecurity risk management programs and strategies. Companies would be required to conduct regular assessments of their cyber risk exposure and implement measures to safeguard sensitive information and data. The rules also mandate the creation of effective governance structures, with clearly defined roles and responsibilities for overseeing cybersecurity issues. Public companies would need to disclose information regarding their cybersecurity practices and incidents in a standardized format, allowing investors and stakeholders to make informed decisions.

Key requirements of the rule include the following:

1. Risk Management and Strategy: Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. (Regulation S-K Item 106(b).)
2. Governance: Registrants must describe the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. (Regulation S-K Item 106(c).)
3. Material Cybersecurity Incidents: Registrants must disclose any cybersecurity incident they experience within four business days of determining it to be material, including its nature, scope, timing and impact. A registrant may delay filing as described below, if the U.S. Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. (Form 8-K Item 1.05.)
4. Foreign Private Insurers (FPIs): FPIs must disclose on Form 20-F the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. FPIs must also furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.

Noncompliance with the rule could have serious repercussions for public companies. The SEC may impose financial penalties, sanctions, or enforcement actions against companies that fail to meet the cybersecurity standards set forth in the regulations. Moreover, companies that neglect cybersecurity risk management could face reputational damage and loss of investor trust, potentially leading to reduced market confidence and stock value. Additionally, the SEC’s heightened focus on cybersecurity compliance could result in increased scrutiny and disclosure obligations, adding further administrative burdens for noncompliant companies.

The SEC’s new cybersecurity rule signals the growing significance of cybersecurity across various sectors. While large corporations with substantial resources may be better positioned to adapt to the new requirements, smaller public companies might face challenges in implementing comprehensive cybersecurity strategies. Many businesses may need to invest in advanced cybersecurity technologies, hire specialized personnel, and conduct regular risk assessments to comply with the SEC’s regulations effectively. The increased emphasis on incident disclosure could also expose companies to potential litigation risks and increased insurance premiums.

The final rules go into effect 30 days following publication of the adopting release in the Federal Register. More information can be found in this SEC fact sheet.