The Securities and Exchange Commission (SEC) has set new standards for how public companies report cybersecurity issues.
These rules will significantly impact how companies report and manage cybersecurity threats, marking a pivotal moment in corporate cyber governance.
Mandatory Incident Disclosure
Public companies are now required to disclose material cybersecurity incidents within four business days. This rapid disclosure timeline underscores the SEC’s emphasis on timely and transparent communication in the wake of cybersecurity incidents.
In-Depth Annual Reporting
Companies must also include comprehensive information on their cybersecurity risk management strategies in their annual reports. This includes the processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the oversight roles of the board of directors and management.
Global Reach
The rules also extend to foreign private issuers, demanding comparable disclosures, thereby setting a global standard for cybersecurity transparency.
Timeline for Compliance
The rules become effective 30 days after publication in the Federal Register. The requirements for annual reports start for fiscal years ending on or after December 15, 2023. The rules for disclosing significant cyber incidents begin either 90 days post-publication or on December 18, 2023, whichever is later.
For businesses, this signals a shift towards greater cybersecurity responsibility and transparency. In the face of the new SEC cybersecurity regulations, our Managed Security Services Provider (MSSP) capabilities can play a critical role.