In yet another indication of the increasing weight being given by government officials to cybersecurity, on July 26, 2023, the Securities and Exchange Commission adopted new rules requiring public companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.
The SEC’s new rules are designed to help investors make informed investment decisions by providing them with more information about the cybersecurity risks facing public companies. The rules also encourage public companies to take steps to improve their cybersecurity measures. The new rules, which have been in the works since March 2022, will go into effect on December 1, 2023.
The new rules will require public companies to disclose cybersecurity incidents within four business days after the company determines that the incident is material, meaning one that is likely to have a significant impact on the company’s business, financial condition, or operations. Additionally, the new rules require public companies to describe their processes for assessing, identifying, and managing materials risks from cybersecurity threats, as well as the material effects of risks from cybersecurity threats and previous incidents. Further, the new rules also require public companies to describe the board of directors’ oversight of risks from cybersecurity threats, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats.
While these new rules only apply to public companies, they signal a general increased emphasis on governmental supervision in the realm of cybersecurity.