Recent enforcement actions by the U.S. Securities and Exchange Commission (SEC) against corporations serve as warnings for public companies of the SEC’s increased emphasis on cybersecurity, and of the potential consequences of inadequate cybersecurity practices. Implementation of practices has become especially crucial considering the newly required cybersecurity incident reporting and cybersecurity risk management and governance disclosure for public companies passed by the SEC last year. This article provides the reader with food for thought around cybersecurity lessons and practical tips.

Summary of SEC Cybersecurity Rules

On Sept. 5, 2023, SEC final rules relating to cybersecurity risk management, strategy, governance, and incident disclosures went into effect. The new rules require registrants to provide:

  • Disclosure on Form 8-K of any material cybersecurity incident within four business days after the incident is deemed material; registrants must also amend any prior Form 8-K related to a cybersecurity incident to add any required information that was not available when the initial Form 8-K was filed.
  • Annual disclosures on Form 10-K describing the company’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents; and management’s role in assessing and managing material risks from cybersecurity threats,” and “the board of directors’ oversight of cybersecurity risks.