The US Securities and Exchange Commission (SEC) announced a new final rule requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days of discovery. The rule, put into effect on July 26, 2023, aims to improve transparency and alert stakeholders of significant cybersecurity threats promptly. For full details of the rule, refer to this article on JD Supra.
In addition to the above, the SEC now expects public companies to disclose their process for assessing, identifying, and managing material risks from cybersecurity threats on an annual basis. This mandate requires essential information to be presented in the corporations’ Form 10-K filings, including the actions taken by companies’ boards and officers to govern cyber risk. This expanded scope of disclosure obligations underpins the SEC’s ongoing commitment to bolster corporate transparency within the sector, which in turn, is anticipated to strengthen market stability.
What is noteworthy about this regulation is that the entities it applies to are not only the ones directly encountering a cybersecurity incident. Public companies that play a secondary role—like third-party service providers—would not be excluded from the mandate. The disclosure requirement would extend to include such parties if the cyber incident reasonably could be expected to lead to a material adverse effect on them.
As such, all public entities should reassess their cybersecurity protocols and risk management mechanisms to ensure they align with the new directives. In light of the changing regulatory landscape, legal professionals should continue to stay abreast of updates to better guide their clients through compliance with the evolving laws.