SEC Adopts Final Rules On Public Company Cybersecurity Disclosures Of Incidents And Processes

Background and Summary Table

On July 26, 2023, the U.S. Securities and Exchange Commission (the "SEC") issued a release (the "Adopting Release"), adopting final rules (the "Final Rules") aimed at standardizing and enhancing disclosure relating to cybersecurity incidents and risk management processes.¹ The SEC had proposed rules (the "Proposed Rules") on March 9, 2022.² The Final Rules reflect the considerable comments received on the Proposed Rules, resulting in far narrower and streamlined requirements, though still imposing significant new requirements on registrants.

The SEC has focused on cybersecurity issues for some time, having provided staff guidance in 2011 and a report detailing its investigation of several public companies that were victims of cybersecurity-related incidents. In 2018, the SEC issued interpretive guidance requiring public companies to disclose material cybersecurity risks and incidents. Registrants already provide significant disclosures in their periodic reports and offering materials regarding cyber risks, incidents, and related investigations or litigation to the extent material. In fact, the Adopting Release, in its economic analysis, noted that disclosures of efforts to mitigate cybersecurity risk were found in 99 percent of proxy statements or Forms 10-K from 2020 to 2022.³

With the Final Rules, public companies will be required to report (1) material cybersecurity incidents and (2) cybersecurity risk management processes in a more standardized manner, subject to specific timelines, in order to provide greater comparability of disclosures. The information required to be disclosed under the Final Rules, as well as the timing and the means of disclosure, are summarized in the following table, followed by detailed discussion and concluding with practical considerations for company general counsel and other officers and directors.

Click here to continue reading . . .

Footnotes

1. See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216; 34-97989; File No. S7-09-22 (Jul. 26, 2022), available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf ("Adopting Release")

2. See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11038; 34-94382; IC-34529; File No. S7-09-22 (Mar. 9, 2022), available at https://www.sec.gov/files/rules/final/2023/33-11038.pdf ("Proposing Release")

3. See EY CTR FOR BD. MATTERS, How Cyber Governance and Disclosures are Closing the Gaps in 2022 (Aug. 2022), available at https://www.ey.com/en_us/board-matters/how-cyber-governance-and-disclosures-are-closing-the-gaps-in-2022.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.