On July 26, 2023, the U.S. Securities & Exchange Commission (SEC) adopted a new rule (“rule” or “regulations”) enhancing disclosure requirements regarding cybersecurity readiness and incident reporting for publicly traded companies (“registrants”). The rule also requires foreign private issuers to make comparable disclosures.
The rule is intended to benefit investors by providing more timely and consistent disclosures about material cybersecurity incidents, and by providing consistent and easily accessible information around cybersecurity risk management, strategy, and governance practices.
These regulatory changes will impact how registrants communicate essential information through a cyber incident. Every organization impacted by the rule should evaluate both their technical and organizational incident response plans with the new reporting requirements in mind.
What are the SEC Rule Changes?
The rule requires registrants to disclose — within four business days — cybersecurity incidents that are deemed “material.” Although the SEC did not define “material,” it notes aspects of materiality include “nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. The SEC recognized it can take time for a company to determine whether an incident is “material”, which can affect the timing of the mandatory disclosure. There is a national security and public safety exemption to the four-day reporting requirement where registrants can delay immediate disclosure of material incidents by obtaining approval from the U.S. Attorney General who would then notify the SEC in writing...Read More!
