On July 26, 2023, the Securities and Exchange Commission (the “SEC“) unveiled new regulations mandating public companies and foreign private issuers to divulge key cybersecurity incidents within four business days from when the incident was first detected. Moreover, these entities will be required by law to share specifics regarding their approaches to managing cybersecurity risks, as well as information on strategy and governance in their annual reports. The aim of these new rules fundamentally revolves around increasing transparency around cybersecurity risks and measures, hence providing investors with critical information to make more informed decisions.
As detailed on JD Supra, the development of these legal stipulations is a strategic move intended to equip stakeholders with pertinent insights into companies’ vulnerability to, and preparedness against, potential cyber threats. The timely disclosure of vital cybersecurity incidents can contribute significantly to the investigative processes while enabling stakeholders to understand the sanitary measures in place to mitigate the risk and impact.
In the wake of growing cyber threats affecting businesses across the globe, the adoption of such regulatory measures underscores the critical need for lawful structures that bind corporations to disclose relevant information speedily and accurately. As the new regulations come into effect, corporations’ legal teams worldwide should be poised for what is essentially an imperative shift towards increased cybersecurity governance disclosure, necessitating them to review and possibly revise their current disclosure procedures and cybersecurity management policies accordingly.