As you know, the Securities and Exchange Commission (SEC) has been working on new cybersecurity disclosure rules for over a year. A few days ago, the SEC adopted the new rules on a vote of 3-2. For a brief recap, the SEC first proposed the new rules in March 2022 and the comment period closed in May 2022. Following that, the SEC then reopened comments on the proposed rules in February 2023 and closed comments in April 2023.
As you may remember, the new rules related to disclosures, risk management and security incidents for registered investment advisers and registered investment companies. According to the SEC, the new rules are meant to provide timely notification to investors concerning material security incidents and to better inform investors about a company’s cybersecurity risk management, strategy, and governance.
SEC Chair Gary Gensler stated that:
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” See SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
Towards that end, according to the new rules, public companies will now have to disclose a material cyber-incident within four business days. There remains a question as to what is deemed material but the SEC generally defines a material cyber-incident as one that is likely to result in significant impact on the company’s business, financial condition, or operations. The new rules are also focused on the board’s oversight and cyber-expertise, and they require companies to disclose such information, including the board’s role in assessing and managing cybersecurity risks.
In sum, it is essential that firms scrutinize the new rules and adapt accordingly, including the new formal reporting requirements such as Form 8-K and Form 10-K. Also, please note that the New York Department of Financial Services (DFS) just published and updated a proposed Second Amendment as a result of industry comments. Thus, there is now a new comment period for the DFS rules. In other words, agencies are pushing forward with more detailed and rigorous cybersecurity incident/preparedness rule and a company would be wise to closely monitor the developments and mitigate their liability through an integrated plan.