Key Takeaways:
- On July 26, 2023, the SEC adopted the long-awaited final rules on cybersecurity risk management, strategy, governance, and incident disclosure for all public companies.
- The final rules create significant new disclosure obligations for public companies, requiring timely and detailed disclosures of material cybersecurity incidents, as well as periodic disclosures about cybersecurity risk management and governance.
- The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation, with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers; (ii) its proposed amendments to Reg S-P and Reg SCI; and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.
On July 26, 2023, the SEC adopted the long-awaited final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.
KEY REQUIREMENTS
The rules introduce three new types of disclosure requirements relating to: (1) material cybersecurity incidents, (2) cybersecurity risk management processes and (3) cybersecurity management and governance.
The final rules are available here.
We will publish a more detailed analysis of the impact of the new rules in the coming weeks.
To subscribe to the Data Blog of our Data Strategy and Security practice, please click here.