Skip to Main Content

Legal Alert

Home > Resources > Legal Alerts > SEC Adopts New Cybersecurity Risk Rules for Public Companies

RELATED PRACTICE AREAS

SEC Adopts New Cybersecurity Risk Rules for Public Companies

August 1, 2023

The U.S. Securities and Exchange Commission voted on July 26 to require public companies to disclose material cybersecurity incidents they experience and, each year, disclose information about their cybersecurity risk management, strategy, and governance.

The new incident disclosure requirements will be applicable to material incidents—defined below—occurring after Dec. 18, 2023. Smaller reporting companies have an additional 180 days before they need to comply with this requirement. Most companies will need to file annual reports in accordance with the new rule starting Dec. 15, 2023, with certain smaller companies commencing reporting on June 15, 2024.

What Do I Need to Disclose?

The definition of a cybersecurity incident includes "a series of related unauthorized occurrences." "Related" events include those orchestrated by the same threat vector or the exploitation of the same vulnerability. Identifying "related" cyber occurrences requires a robust cybersecurity infrastructure.

The incident response plan, the forensics team, and legal counsel play an important role in determining whether incidents are "related." Periodic (at least once a year) table-top exercises should be conducted in order to make sure the organization is prepared to deal with an incident.

Using Form 8-K, companies must disclose the material aspects of any incident, including its nature, scope, and timing, as well as the incident's material impact or the material impact that is reasonably likely.

How Quickly Do I Need to Disclose a Cybersecurity Incident?

The SEC emphasized the importance of timely disclosure once a breach is determined to be "material." Barring a delay arising from national security or public safety concerns, companies will now be required to disclose material breaches in a Form 8-K within four business days from the time of determination, rather than from the initial discovery of the breach.

A quick determination of whether a cybersecurity incident is "material" can be tough to make. To meet this requirement, companies must have robust cyber detection and response capabilities along with effective, up-to-date supply chain management practices. This entails having in place proper incident detection tools (such as those aligned with the National Institute of Science and Technology Cybersecurity Framework), relevant policies and procedures (such as an IT policy, incident response plan, information security policy, and supply chain management protocols), competent legal counsel, and proven forensic capabilities to assist in quickly making the right determinations.

All the material aspects of the incident should be identified in the incident response plan, and the disclosure should follow the information contained in the plan.

Third-Party Breaches

Public companies must pay attention not only to their own cybersecurity incidents but those experienced by entities in their supply chain to determine if any cause them a material impact, in which case the above disclosure requirements apply.

This requires periodic review of the company's current supply chain management practices. Companies should ensure that they have the right to conduct periodic audits and other assessments.

Annual Disclosure Requirements

In addition to disclosing incidents in real time, companies will be required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in their annual reports on Form 10-K or Form 20-F, as applicable. Companies are not required to disclose specifics regarding their cybersecurity incident response plans or detailed information around their cybersecurity infrastructure, networks, or vulnerabilities if such disclosure is likely to hinder their ability to effectively address and resolve cybersecurity incidents.

Adhering to the NIST Cybersecurity Framework or another well-known and respected cybersecurity framework can help facilitate these processes.

Do I Still Need Experts on My Board of Directors?

The SEC's final rule no longer requires the identification of board members with cybersecurity expertise. Instead, it instructs companies to disclose the relevant expertise of any members of management or committees responsible for assessing and managing registrants' material cyber risks.

This elevates the importance of having a chief information security officer (CISO) who reports to the board. The CISO should have proven experience in managing cybersecurity incidents.

We Can Help

Maslon can assist your company in improving its cybersecurity game to ensure it is aligned with the SEC's vision. Contact us with questions or concerns.

Related Attorney

Eran Kahana + Learn More Eran Kahana

Maslon LLP uses cookies on this website to enhance your digital experience.
Please see our Privacy Policy. By visiting our website without disabling or blocking cookies, you agree to our use of cookies.

DISCLAIMER

Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline

MEDIA INQUIRIES

We welcome the opportunity to assist you with your media inquiry. To ensure we do so properly and promptly, please feel free to contact our representative below directly by phone or via the email option provided. We look forward to hearing from you.

Emily Gurnon, Marketing Communications Manager | Office: 612.672.8251 | Mobile: 651.785.3616

EMAIL DISCLAIMER

This email is intended for use by members of the media only.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send an email containing a general inquiry subject to these terms.

If you are a member of the media, accept the terms of this notice, and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline