The SEC’s new breach notification rule, adopted in July 2023, aims to bolster cybersecurity transparency and investor protection. Under this rule, publicly traded companies must disclose significant cybersecurity incidents to the SEC within four business days of determining that the incident is material. This prompt disclosure is intended to provide investors with timely and crucial information that could impact their investment decisions.

The rule mandates that the disclosure include details about the nature and scope of the incident, its potential impact on the company’s operations, and any steps being taken to address it. However, the rule also allows for delays in disclosure if immediate notification would pose a substantial risk to national security or public safety, subject to federal agency guidance.

The SEC emphasizes that materiality should be assessed in light of the incident’s potential impact on the company’s finances, operations, or reputation. Companies are required to update their disclosures if subsequent information significantly changes the understanding of the incident.

Additionally, the rule expands the scope of reporting beyond just incidents to also cover cybersecurity risk management, strategy, and governance. Companies must describe their policies and procedures for identifying and managing cybersecurity risks, their board’s oversight of cybersecurity, and how incidents have influenced these processes.

This new rule reflects the SEC’s recognition of the growing significance of cybersecurity threats in the digital age. By enforcing timely and detailed disclosures, the SEC aims to enhance market transparency and ensure that investors are better informed about the cybersecurity risks and incidents affecting the companies they invest in.

For consulting contact:

WWW.BARETZKY.NET