On July 26, 2023, the Securities and Exchange Commission (the "SEC"), voted to adopt new rules for public companies that will require disclosures regarding "material" cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance. The new rules include both current and periodic reporting requirements, and marks a significant expansion in the way that public companies make disclosures relating to cybersecurity. The new rules will become effective 30 days from publication in the Federal Register and will apply broadly to all public companies, including foreign private issuers, emerging growth companies and smaller reporting companies.
For additional discussion of some key rule highlights, see this post on our Focus on Audit Committees, Accounting and the Law blog. Given the interdisciplinary nature of cybersecurity issues, we are working closely with our corporate disclosure colleagues to develop recommendations on steps companies should take in response to the new requirements and look forward to sharing our collective thoughts in a forthcoming client alert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
