Takeaways From the SEC’s Cybersecurity Risk Management Report

August 11, 2023

Takeaways From the SEC’s Cybersecurity Risk Management Report

The SEC finalized its disclosure rules for cybersecurity risk management, strategy, governance, and incidents on July 26th. A proposed requirement that all boards of publicly-traded companies must have cybersecurity expertise on call was not adopted. Opponents noted a lack of expertise in the marketplace that would make it difficult to comply. However, boards must now describe how they oversee risk from cybersecurity threats, and management’s role in assessing those risks, in their annual Form 10-K. In their Form 8-K they must disclose “any cybersecurity incident that they experience that is determined to be material” and describe “material aspects” of the incident within four business days of making that determination. There are rules about materiality, among them, if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top