In late July 2023, the Securities and Exchange Commission (SEC) adopted novel rules, necessitating public companies to disclose cybersecurity incidents and their policies and practices regarding cybersecurity governance. Borrowing mostly from their original proposal issued in March 2022, the SEC has made some modifications to the requirements of cybersecurity disclosure. These changes were adopted by the SEC via a fairly narrow vote of 3-2. However, the new disclosure stipulations have an effective date of no later than December 23, 2023, or 90 days. This information was presented by The Volkov Law Group.
This development, detailed in an audio episode from JD Supra, titled ‘Episode 288 — SEC Adopts Robust New Cybersecurity Disclosure Rules’, signals a significant shift in the landscape of security and transparency expectations for publicly-traded companies. The stipulations aim to foster a more stringent standards of cybersecurity governance and reporting, and demonstrate the SEC’s ongoing commitment to protecting shareholders by ensuring they are informed about the companies they are investing in.
As mandatory cybersecurity disclosures become a part of public company reporting procedure, it is important for legal professionals advising such companies to be well-versed with the new SEC regulations and their implications. Ensuring compliance with these robust new disclosure requirements will be key to avoiding penalties and maintaining investor confidence in the era of ever-increasing cybersecurity threats.
While details about the extent of the required disclosures and adjustments to cybersecurity governance policies are yet to be thoroughly explored, what’s abundantly clear is the SEC’s heightened seriousness regarding cybersecurity risks. This adoption suggests that the organization is increasingly viewing cybersecurity as a significant aspect of corporate governance that directly impacts shareholders and the overall integrity of the financial markets.
Legal professionals, corporate counsel, and compliance officers would be well-advised to familiarize themselves with the nuances of these new expectations, to ensure their respective organizations are prepared for the deadline of the enforcement of these rigorous cybersecurity regulation enhancements.