Public companies will soon be required to provide increased transparency about cybersecurity incidents, risk management, strategy and governance as a result of new rules adopted by the Securities and Exchange Commission (the “SEC” or “Commission”) on July 26, 2023. These new disclosure requirements represent a significant expansion of the existing SEC disclosure guidance, which dates back to 2011 and 2018, and represent the SEC’s first disclosure requirements explicitly referring to cybersecurity risk and incident reporting in current and periodic reports.
Following an overview of the new rules, we identify practical considerations for registrants in preparing for the new disclosure requirements.
