Extract from Epiq’s article “Breaking Down the New SEC Cybersecurity Rules”
On July 26, the Securities and Exchange Commission (SEC) adopted new cybersecurity rules. Organizations will need to disclose material cyber incidents pursuant to a prescribed timeline and information regarding risk management, strategy, and governance on an annual basis. The goal is to bring consistency to the disclosure process to benefit both organizations and their investors. Any business registered under the SEC is subject to these updates and should take steps now to comply.
New Requirements
The new SEC rules will require process reevaluation and changes. Leadership teams and legal departments must work together to make updates and maintain adherence to the new standards. Here is an overview of the key additions:
- When a material cybersecurity incident occurs, organizations need to disclose it on Form 8-K within four days after deeming it material. The disclosure must include the material nature, scope, timing, and impact of the breach. There is a narrow exception to the four-day rule if the U.S. Attorney General determines that disclosure would be a substantial risk to national security or public safety.
- In the annual report on Form 10-K, organizations now must include three new categories of information. The first is all active processes for assessing, identifying, and managing material risks from cybersecurity threats. The second is any material effects of risks from cybersecurity threats and prior incidents. The last is a description of the board of directors’ oversight of cybersecurity risks stemming from threats and management’s role and expertise in assessing and managing material cyber risk from these threats.