New SEC Cyber Incident Disclosure Requirements Take Effect
Date: 12/20/23
Public companies face significant challenges and uncertainties under the new reporting requirements that took effect December 18, 2023. On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted much-anticipated cybersecurity rules that apply to U.S. SEC reporting companies as well as most foreign private issuers. In adopting the final rules, the SEC noted the rising prevalence and gravity of cybersecurity threats and incidents, and investors’ need for more timely, reliable and uniform disclosures. The SEC also cited the economic costs resulting from cybersecurity incidents, and increasing reliance on electronic systems that are susceptible to cybersecurity breaches and unknown vulnerabilities. Under the new rules, reporting companies must have, among other things, board and management-level governance structures, controls and procedures to manage cybersecurity risks, and should a material cybersecurity attack be detected, the rules require disclosure of the incident.
CGR Memo - New SEC Cyber Incident Disclosure Requirements Take Effect.pdf (pdf | 258.77 KB )