SEC Adopts New Rules for Disclosure of Cybersecurity Incidents

By

New rules involve immediate and annual reporting requirements.

The U.S. Securities and Exchange Commission (SEC) has adopted new rules for disclosure of cybersecurity incidents and risk management by publicly traded companies.

Under the new requirements, registrants must:

  • Disclose any cybersecurity incident that they “determine to be material and to describe the material aspects of the incident's nature, scope, and timing” as well as the incident’s material impact within four days.
  • Annually disclose their processes, if any, “for assessing, identifying, and managing material risks from cybersecurity threats.”
  • Annually describe the “board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

The SEC will also require foreign private issuers to make comparable disclosures. The rules “will benefit investors, companies, and the markets connecting them,” says SEC Chair Gary Gensler.

 
 

 
 

08/11/2023

Related content

comments powered by Disqus