top of page
Search

SEC New Cyber Rules

Updated: Aug 7, 2023

On July 26, 2023 the SEC finalized the rules surrounding Cybersecurity Risk Management and Governance. They are as follows:

  1. Annual report on company cybersecurity risk management strategy and governance (Item 106)

  2. Report any material cyber incident within 4-days of determining the incident to be material, or likely material (Item 1.05, Forms 8-K)

    1. Caveat: National, or Public Safety risks, at the discretion of the Attorney General

    2. Reported under Item 1.05 of Form 8K

      1. Describe material impact, including the nature, scope, and timing

    3. Adding Regulation S-K Item 106 to describe processes used to assess, identify, and manage material risks and material effects from threats and previous cyber incidents

    4. Additionally, describe the Board's oversight of risks and managements role and expertise in assessing and managing risks

    5. Refer to this SEC Article on assessing materiality

      1. Impacting: Reputation, odds of Litigation, Regulatory, Third-party relationship

While Cybersecurity expertise is not required at the Board level, we see the rules to include how the Board provides governance for such risks and Executive management's expertise in assessing and governing risks. While this may sound good to some, historically the vast majority struggle with cyber risk, and akin to the Biden administration's Cybersecurity policies, a safety net does not fix the problem. The burden stays with Executive Management, "the more things change the more they stay the same".


Overall, the Incident Response plan will need to align with a) discovering the incident and then b) when to discover material impact, which starts the 4-day clock. Caveat, communications during an incident response should already be vetted by legal counsel. The Form 8K disclosures are due effect Dec. 18, 2023, which is 90 days after the rule was published. Note: Smaller companies are due 270-days after publication, or by June 15, 2024. Form 10K disclosures are due with annual reports [fiscal years] ending on/after Dec. 15, 2023.

 
 
 

Comentários

bottom of page