As legal professionals, it is vital to stay aware of any changes in legislation that may impact our operations. A significant shift is the Securities Exchange Commission’s (SEC) new Cybersecurity Rule which has recently come into effect.
The new regulations were implemented in September and apply to reporting public companies. As outlined by Burr & Forman, the SEC Cybersecurity Rule generally requests public firms to meet three main requirements:
- Public companies experienced a material cybersecurity incident should disclose it on Form 8K within four days of the occurrence.
- Firms must expose their risk assessment and management efforts concerning security.
- Companies should also communicate the involvement of the management and the oversight of the board regarding these matters.
The specific legislative changes mirror a growing focus on cybersecurity in the public sphere, a concern exacerbated by high-profile incidents in recent years. Legal professionals are urged to get familiar with these changes as they could potentially incur significant legal implications for the firms they work for or represent.
This new regulation underscores the SEC’s drive towards maintaining transparency and is a pull to prompt and honest disclosure from corporations about their cyber issues. Hence, legal professionals should incorporate these changes into their corporate strategy, governance processes, and disclosure duties, as failure to comply may pose a risk of enforcement actions by the SEC.