Client Alert: SEC finalizes cybersecurity disclosure rules

August 11, 2023 by John Doernberg, Gallagher

On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring certain cybersecurity disclosures from public companies. The rules require prompt disclosure of material cybersecurity incidents and annual disclosure of the details about corporate cybersecurity risk management, governance and strategy.

The final rules, as adopted, contain changes to draft rules issued in March 2022, which we discussed in our article “The SEC Is Introducing Aggressive Cybersecurity Regulations in 2022: What You Need to Know“.

Here are some provisions of the SEC’s final rules document, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,¹ that may affect Cyber insurance and cyber risk management.

Mandatory cybersecurity incident disclosure

Public companies must file a public report with the SEC disclosing material cyber incidents within four business days of determining that the incident is material. While there’s no set deadline for determining “materiality,” companies must make this determination without unreasonable delay following the discovery of a cyber incident.

Client Alert: SEC finalizes cybersecurity disclosure rules

Mandatory cybersecurity incident disclosure

Featured

Be your members’ college financing hero

Loan payments in a high-interest era

Don’t say this at the end of a conflict

Best advice for your career: Run YOUR race

Stay connected to the credit union community with our free newsletter!

You have Successfully Subscribed!