The U.S. Securities and Exchange Commission (SEC) has formalized its long-awaited regulations concerning cybersecurity disclosures for public companies. According to a recent article on JD Supra by Sheppard Mullin Richter & Hampton LLP, the newly published rules which came into effect this month mandate the divulgement of specific cybersecurity incidents in a much quicker timeframe than many alternate data breach notification systems.
Beyond requiring punctual notification of cybersecurity incidents, the final rules also necessitate regular disclosures regarding a company’s protocols to evaluate, identify, and manage key cybersecurity threats. Moreover, details of the role of both the management and the board of directors in the management or oversight of these risks must also be disclosed.
The purpose of these regulations is to keep shareholders and potential investors informed about the cybersecurity-related risks and incidents a company may face and to ensure that these entities monitor and manage those risks effectively. Key security incidents must be addressed promptly, and significant cybersecurity risks must be identified, evaluated, and managed appropriately. The onus is on the management and the board of directors of public companies to strategise and implement measures to limit the potential fallouts from such risks.
These developments represent an important evolution in the regulatory landscape surrounding corporate cybersecurity and data breaches. It is paramount that legal professionals, particularly those working within public corporations or advising such entities, understand these new disclosure requirements and their implications.