The Securities and Exchange Commission (SEC) has adopted a new final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This new rule, which went into effect on September 5, 2023, requires public companies to disclose material cybersecurity incidents within four business days of determining that the incident is material, and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
Why is this rule important?
Cybersecurity is a major risk for all businesses, but it is especially important for public companies, which hold sensitive investor data. The SEC’s new rule is designed to help investors make informed decisions about their investments by providing them with more information about the cybersecurity risks that public companies face.
What are the specific requirements of the rule?
The rule requires public companies to:
- Identify and assess material cybersecurity risks to their operations, systems, and data.
- Have a board-approved cybersecurity risk management program.
- Report to the board on the effectiveness of the cybersecurity risk management program.
- Have a process for responding to and recovering from cybersecurity incidents.
- Disclose information about their cybersecurity risk management, strategy, and governance in their annual 10-K filings and Form 8-Ks.
The rule also requires companies to disclose material cybersecurity incidents within four business days of determining that the incident is material.
How can I learn more about the rule?
The SEC has a webpage dedicated to the new rule, which includes a fact sheet and FAQs. You can also find more information on the websites of the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the SANS Institute, and the International Information System Security Certification Consortium (ISC)2.
What should I do to comply with the rule?
The first step is to review the SEC’s final rule and understand its requirements. Once you have a good understanding of the rule, you can begin to assess your company’s cybersecurity risk management program and make any necessary changes to ensure that you are in compliance.
If you need help complying with the rule, there are a number of resources available to you. You can consult with a cybersecurity expert, or you can use one of the many compliance tools and resources that are available.
The SEC’s new rule on Cybersecurity Risk Management is a significant development for public companies. By taking the time to understand the rule and comply with its requirements, public companies can help to protect their investors and their businesses.