Top tips for business leaders on SEC cybersecurity disclosure rule

September 11, 2024
1 min read

TLDR:

  • Last year, the SEC mandated that public companies disclose material cybersecurity incidents to provide investors with timely and relevant information.
  • The rule requires public companies to disclose any material cybersecurity incident that could affect their financial condition or operations.

Investors view cyberattacks as a significant threat to businesses due to the potential financial losses, reputational damage, and impact on share prices. The SEC’s new cybersecurity disclosure rule aims to provide investors with more robust and timely information about cybersecurity incidents to help them make informed investment decisions. The rule standardizes the process for disclosing information and makes disclosures a binding requirement for public companies. Companies must determine the materiality of cybersecurity incidents, report them within four business days, and submit annual disclosures about cybersecurity risk management, strategy, and governance. Developing a plan to assess cyber incidents, determine their materiality, and involve key stakeholders is essential for compliance. While the SEC hasn’t specified penalties for noncompliance, the final rule is seen as a positive step towards enhancing cybersecurity and minimizing attacks, potentially leading to increased investments in technology and demand for cybersecurity expertise.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and