Navigating the New SEC Cybersecurity Rules: A Deadline Reminder and FAQs
The financial sector is bracing for a significant shift with the U.S. Securities and Exchange Commission (SEC) “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule taking effect on December 18, 2023.
As the deadline looms, financial firms must have mechanisms in place to comply with cybersecurity reporting and disclosure requirements on annual and periodic forms.
What does this mean for your company?
Public companies subject to the reporting requirements under the Securities Exchange Act of 1934 must disclose any cybersecurity incident that is “determined to be material”i and describe the material aspects of the incident on amended form 8-K within four business days of determining an incident was material. Additional periodic reporting is also required to disclose any previously unreported material cyber incidents or material “changes, additions, or updates” on quarterly report Form 10-Q or annual report Form 10-K, whichever is next in the reporting sequence.