On July 26, 2023, the SEC issued its final rules for disclosing key information regarding cyber risk. The final rule addresses concerns over investor access to timely and consistent information related to cybersecurity risk – and comes at the end of 18 months of debate and discussion. While many wanted different outcomes in key areas, most of the suggestions and criticisms have been addressed.
Now the work begins – and time is short. The new rules focus on providing transparency to investors through formal disclosures via SEC forms. The three of disclosures specified in the rules include:
- Cyber Risk Management: the strategies and processes used by the company in monitoring and managing cyber risk (annual).
- Cyber Risk Governance: the roles and responsibilities and backgrounds of those involved in monitoring and managing cyber risk (annual).
- Material Cyber Incidents: providing information regarding the nature, scope, timing, and impact of material incidents – using federal securities law in determining materiality from the perspective of a reasonable investor (within 4 business days of determination of a material incident).
CAP Group has released an Adoption Framework for understanding and preparing to comply with the new disclosures. Time is short – start now!