The C-Suite Guide to New SEC Cybersecurity Disclosure Rules
The U.S. Securities and Exchange Commission (SEC) now mandates public companies to disclose major cybersecurity incidents and outline their cybersecurity risk management annually, starting December 2023. This aims to standardize disclosures, offering investors more consistent information.
Key regulation elements include:
- Companies must detail their processes for assessing, identifying, and managing significant cybersecurity risks in their Form 10-K (annual report);
- The annual report should also specify the board's oversight of these risks and management's role in addressing them;
- In the event of a significant cybersecurity incident, companies must accurately report the breach within four business days as an appendix to Form 8-K.