SEC Rule Would Impose New Cyber Reporting Requirements On Public Companies
The U.S. Securities and Exchange Commission (SEC) has finalized a new regulation that will require publicly-traded companies to formally disclose cybersecurity risk management, strategy, governance, and incidents. Specifically, the regulation requires disclosure of material cybersecurity incidents within four business days of the incident unless the U.S. attorney general determines immediate disclosures would pose a substantial risk to national security or public safety.
These disclosures must cover the incident’s nature, scope, timing, and impact.
The rule also requires publicly-traded companies to disclose information about their cybersecurity risk management, strategy, and governance structures. Companies must describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company.
Finally, the rule requires that companies disclose how their board of directors oversees risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats.