On July 26, 2023, the Securities and Exchange Commission (SEC) significantly shifted the landscape of cybersecurity accountability for public companies. The SEC convened an open meeting where it was decided to adopt final rules requiring the standardization of cybersecurity disclosures by public companies (JD Supra).
These new rules mark a strict departure from the previous practice, which permitted a considerable degree of discretion in terms of what cybersecurity information was disclosed, when, and how. Going forward, public firms will be expected to meet specific, standardized benchmarks in revealing information about their cybersecurity measures.
While the exact details of the rule changes are yet to be fully understood, the legal community should brace itself for a new era of enhanced transparency. Public companies will now be required to provide regular, standardized updates on their cybersecurity efforts. It is reasonable to expect that this information will need to include the mitigation and detection measures adopted, how these are maintained and upgraded, and what plans are in place for when breaches do occur.
This new mandate from the SEC could potentially impact a wide variety of areas. Primarily, public companies will need to review their current approaches to cybersecurity and ensure they meet the forthcoming requirements. Corporate legal teams should expect to play a significant role in this process, both in terms of understanding the new rules’ implications and ensuring compliance.
Additional consequences could also affect a wider circle, from shareholders seeking reassurances about their investments’ safety, to potential litigations connected to how firms manage and disclose cybersecurity risks. The shift does not only carry regulatory weight but also emphasizes the SEC’s increased focus on protecting investors and maintaining fair, orderly, and efficient markets.
One thing is certain, cybersecurity disclosures are about to become a staple feature in public firms’ corporate filings. The legal community, along with corporate stakeholders, will be watching the forthcoming details closely.