SEC rules require disclosure of cybersecurity incidents – Daily Journal

The functionality of the search feature on the Daily Journal website is currently experiencing some issues. Our team is working diligently to resolve this problem and restore the search feature as soon as possible. In the meantime, we appreciate your patience.

One of the interesting topics currently circulating in the financial world is the implementation of new SEC rules regarding cybersecurity disclosure for public companies. These rules, adopted on July 26, 2023, aim to enhance transparency and accountability in public company disclosures related to cybersecurity risk management, strategy, governance, and reporting. One of the key requirements of these rules is that public companies must disclose any material cybersecurity incidents within four business days of determining their significance.

Since the compliance date of these rules on Dec. 18, 2023, we have seen a notable number of companies disclosing cybersecurity incidents in their Form 8-K filings. Interestingly, there have been instances where companies have voluntarily disclosed cybersecurity events even if they were unsure about their material impact. This voluntary disclosure trend prompted the SEC Corp. Fin. Director, Erik Gerding, to issue a statement encouraging companies to handle such disclosures in a way that does not overshadow the disclosure of material cybersecurity incidents.

As we reflect on the one-year anniversary of the implementation of these rules, it is important for public companies to consider some key takeaways and lessons learned. Firstly, determining materiality is crucial when deciding whether to disclose a cybersecurity incident. The SEC emphasizes that companies should use the standard materiality assessment applied to other risks and events, considering both quantitative and qualitative factors.

Secondly, providing timely information in disclosure is essential. Companies must disclose cybersecurity incidents promptly within four days of determining their materiality, even if all required information is not immediately available. In such cases, companies should make the necessary disclosures and subsequently update their filings when more information becomes accessible.

Lastly, following incident response plans is crucial for effective cybersecurity risk management. Having a robust response plan in place can help companies navigate cybersecurity incidents more effectively and ensure proper disclosure as required by the rules. By adhering to these guidelines, public companies can enhance transparency, accountability, and compliance in their cybersecurity disclosures, benefiting both investors and the broader financial community.