The US Securities and Exchange Commission (SEC) recently introduced final rules concerning the disclosure of cybersecurity information. Upon implementation, these rules will require foreign private issuers to disclose, via Form 6-K, significant cybersecurity incidents. Furthermore, they will have to provide information about their management, strategy, and governance of cybersecurity risks in Form 20-F.
According to JD Supra, this move signals SEC’s increasing focus on transparency and accountability in cybersecurity matters—an issue that is becoming ingrained in the fabric of operations for businesses globally.
The change in policy also highlights the SEC’s recognition of the reputational and financial risks associated with cybersecurity breaches. Past incidents prove that the disclosure of cybersecurity attacks is not only a legal obligation but also a capacity to protect shareholders and the marketplace from fraud and misinformation.
In light of this development, legal professionals and corporations need to prepare for these new requirements. They should review their current incident response procedures, including how they evaluate cybersecurity risks and incidents, to ensure compliance with the new rules. As with all legal changes, adequate preparation can mitigate the risk of non-compliance penalties and related reputational damage.
The SEC’s step towards more rigorous cybersecurity disclosure requirements underlines a growing global trend. With cybersecurity rapidly becoming a concern for all corporations, other regulatory bodies worldwide might soon follow the SEC’s lead.