In September, the Securities Exchange Commission’s new Cybersecurity Rule for reporting public companies became effective. The SEC Cybersecurity Rule applies to public companies and generally requires (1) disclosure of material cybersecurity incidents on Form 8K within four days, (2) the firm’s risk assessment and management efforts, and (3) management’s involvement and board’s oversight of these issues. It became effective Sept. 5, 2023, but has various compliance dates depending upon particular issues and company size. Exchange Act Release No. 97989 is here.
The SEC has a pending rule proposal that would impose similar requirements upon Wall Street firms. The industry cybersecurity rule, if adopted, generally will require (1) written policies and procedures to assess and manage cybersecurity risks and incidents, (2) immediate notice to the SEC of “significant incidents,” and (3) public disclosures to provide greater transparency around cybersecurity risks. The Proposal, Exchange Act Release No. 97142, is here.
In its Sept. 27 Corporate Notice, the Financial Industry Regulatory Authority (“FINRA”) shined a light on its various cybersecurity efforts. FINRA recently updated its Small Firm Cybersecurity Checklist – a resource for firms establishing or assessing their cybersecurity programs.
FINRA also offers a Firm Checklist for Compromised Accounts. General resources are collected on FINRA’s Cybersecurity topic page.