he Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cybersecurity risk management, strategy, governance, and incidents.<\/p>\n
Adopted in July 2023, these new rules come after a lengthy rule-making and public comment process and act as official recognition that the ever-present danger of cybersecurity threats can impact investor decision making.<\/p>\n
The highlights: What you need to know<\/p>\n
The crux of the new SEC rules is that companies are required to report both material cybersecurity incidents and cybersecurity risk management processes in a standardized way and according to certain timelines. More specifically:<\/p>\n
Incident disclosures
\nThe final rule requires current report disclosures (Item 1.05 in Form 8K or 6-K) within four days of \u201cmaterial\u201d cybersecurity incidents that describe (1) the nature, scope, and timing of the incident and (2) the impact or likely impact of the incident on the registrant, including financial and operational impact.<\/p>\n
Annual disclosures
\nThe final rule requires disclosures in annual reports (Form 10-K or 20-F) that describe (1) the registrant\u2019s process to identify, assess, and manage cybersecurity risks; (2) how risks from cybersecurity threats have materially affected or reasonably likely to materially affect business operations, strategy, or financial conditions; (3) the registrant\u2019s board of directors\u2019 oversight of cybersecurity risks, and (4) management\u2019s role in assessing and managing risks from cybersecurity threats.<\/p>\n
Source: TechCrunch<\/p>\n