This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

New SEC Cyber Rules Passed

At the July 26, 2023, Securities and Exchange Commission open meeting, the SEC commissioners voted to adopt the SEC's proposed cybersecurity rules that will affect both the annual SEC reports and supplemental disclosures. Obviously these rules could have a huge impact of publicly traded companies and other companies regulated by the SEC. Curiously, these written rules are not yet available. However, the content of the public meeting does provide us with some insight:

  • Effective Dates: These new rules will apply to annual reports beginning on December 15, 2023. Material incidents occurring after December 18, 2023, will be covered by the new, enhanced notice requirements.
  • Board Expertise: The rules require disclosure of the relevant expertise of any members of management or committees who assess and manage the company's cyber risks. This is a requirement that companies should closely scrutinize, as there may be later consequences.
  • Disclosure Timing: Cyber events (such as breaches) must be disclosed four business days from the time that a breach is determined to be "material." It bears emphasis that this requirement is different from a deadline of four days from learning of the breach. This "materiality" inquiry will provide welcome flexibility to companies responding to these destabilizing cyber events.
  • Disclosure Content: Regulated companies are required to disclose the material aspects of the nature, scope and timing of the incident, as well as the incident's material impact or reasonably likely material impact.
  • Permitted Delays: If the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety, and notifies the SEC, disclosure delays of up to 120 days can be triggered. These comprise what appear to be an automatic 30-day delay and then possible additional delays of 30 and 60 days. Those permitted delays appear to be automatic, while additional delays beyond those 120 days may be granted. As noted by Brian Levine of EY Parthenon, this mechanism would appear to incentivize law enforcement cooperation.

All in all, these are interesting developments. I will write more when the written rules are available.


privacy security & data innovations