SEC's New Cybersecurity Rules Place New Demands on Public Companies' Cybersecurity Programs

Data privacy and cybersecurity attorneys Bess Hinson, Ashley Thomas and Dina Gayanova co-authored an article in Daily Report detailing the U.S. Securities and Exchange Commission's (SEC) recently adopted cybersecurity risk management, strategy, governance and incident disclosure rules. Effective as of Dec. 18, 2023, these rules impose new compliance obligations on public companies, notably the requirement to disclose significant cybersecurity incidents within four days of determining their "materiality." Moreover, the regulations mandate annual governance disclosures relating to a company's oversight of cybersecurity risks and its management's role in assessing and managing those risks. The article underscores the necessity for companies to reassess their cybersecurity risk management, strategy and disclosure controls to comply with these groundbreaking requirements, emphasizing the importance of a well-coordinated response from data attorneys, securities attorneys and senior executives alongside an incident response team to navigate the rules effectively.

READ: SEC's New Cybersecurity Rules Place New Demands on Public Companies' Cybersecurity Programs