SEC Adopts New Cybersecurity Rules for Public Companies
Thursday, July 27, 2023
SEC Requires Public Companies To Disclose Material Cybersecurity Incidents
Print Mail Download i

In a 3-2 vote, the Securities and Exchange Commission (SEC) adopted new cybersecurity rules yesterday (July 26, 2023) applicable to public companies.

The rules, which will become effective thirty days after publication in the Federal Register, require public companies to “disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”

The new rules require companies to file an Item 1.05 Form 8-K for “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing as well as its material impact or reasonably likely material impact on the registrant.” The Item 1.05 Form 8-K will be due “four business days after a registrant determines that a cybersecurity incident is material.” The disclosure may be delayed “if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”

In addition, a new S-K Item 106 will require registrants to describe their processes “for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents” and will require companies to “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” The disclosures are required to be included in the annual 10-K Form. Public companies’ cybersecurity processes are in the crosshairs of the SEC, and focus and attention to cybersecurity practices, including beefing up the cyber capabilities of members of the board and senior management are clearly factors the SEC will expect. There is a dearth of cybersecurity professionals as it is. Public companies’ nominating committees have a formidable job in front of them

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Public Notices

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #401 – Cyberattack Against TikTok Targeted Brands and Celebrities
by: Linn F. Freedman
US Department of Labor’s Office of Federal Contract Compliance Offers AI Guidance for Government Contractors and Other Employers
by: Sean C. Griffin
Update on Snowflake Cyber Threat
by: Linn F. Freedman
Connecticut Paid Sick Leave Law Gets Major Overhaul: Who's Covered, What Qualifies, and More
by: Christopher A. Costain , Abby M. Warren
New Texas Supreme Court Decision Highlights Several Defense Strategies for Defeating Class Certification
by: Wystan M. Ackerman
DOJ Announces $1.3 Million Settlement Involving a Laboratory Marketer, Physicians, and the Physicians’ Medical Practices
by: Danielle H. Tangorre , Erin C. Turkis
Department of Justice National Security Division Announces First-of-Its-Kind Declination under Its Voluntary Self-Disclosure Program
by: David E. Carney , Kevin P. Daly
NISTS Offers AI Governance Guideline to Help Avoid Bias Liability
by: Sean C. Griffin
UK Privacy Watchdog Probes Microsoft’s Controversial “Recall” Feature
by: Blair V. Robinson
Proofpoint Survey Outlines Challenges for CISOs
by: Linn F. Freedman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins