SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations

Finally, the Securities and Exchange Commission (SEC) has adopted Regulations regarding public companies’ obligations to include disclosure in annual reports on material cybersecurity risks, risk management and governance, and to file current reports to report material cybersecurity incidents. While some of the most discussed disclosure requirements — like boards of directors’ cybersecurity expertise — were not adopted, the new Regulations will still have a substantial impact on organizations. Obligatory reporting will place pressure on organizations to make sure that their cybersecurity programs are appropriately tailored to ensure positive features can be reported in periodic disclosures. Failure to do so could likely lead to additional regulatory scrutiny in the event of a security incident or allegations of failure to discharge fiduciary duties by boards of directors in shareholder derivative lawsuits. Additionally, reporting material cybersecurity incidents in real-time will raise the stakes for appropriate incident management.

To ensure that your organization can make favorable disclosures, conduct periodic risk assessments to identify security program gaps and prioritize remediation. Consult outside counsel so they can provide legal advice as to the sufficiency of your security controls. As well, pay attention to your cybersecurity governance structure to ensure that the board of directors can conduct appropriate oversight. Finally, vulnerability management and event detection should be prioritized, in light of the short data breach reporting deadlines required under the Regulations.