Sep 27 2023

The SEC Cybersecurity Disclosure Final Rule: What You Need to Know and How to Comply

The Securities and Exchange Commission (SEC) has recently issued a final rule (linked here) that requires public companies to disclose material cybersecurity risks and incidents in their periodic reports and registration statements. The rule also clarifies the obligations of public companies to maintain effective disclosure controls and procedures related to cybersecurity matters.

The rule aims to protect investors and promote market integrity by ensuring that public companies provide timely and accurate information about cybersecurity incidents that could have a material impact on their business operations, financial condition, or reputation.

The rule applies to all public companies that file reports or registration statements with the SEC, regardless of their size, industry, or location. The rule does not prescribe specific disclosure requirements or standards, but rather provides guidance on how public companies should assess the materiality of cybersecurity risks and incidents, and what factors they should consider when deciding whether, when, and how to disclose them.

Some of the factors that public companies should consider include:

  • The nature and severity of cybersecurity incidents or risk.
  • The potential harm to customers, business partners, or other stakeholders.
  • The legal or regulatory obligations or consequences related to the incident or risk.
  • The costs and resources required to prevent, mitigate, or remediate the incident or risk.
  • The impact on the company’s reputation, financial performance, or competitive position.

The rule emphasizes that public companies should have effective disclosure controls and procedures in place to ensure that relevant information about cybersecurity matters is properly collected, processed, evaluated, and reported to senior management and the board of directors. Additionally, the rule cautions public companies against selective disclosure of material cybersecurity information to certain parties, such as analysts, investors, or media outlets, before making it available to the public.

The rule also reminds public companies of their obligations under existing laws and regulations to prevent insider trading and protect confidential information related to cybersecurity matters.