SEC proposes new rules for public company cybersecurity risk management, strategy, governance & incident disclosures

New rules proposed by the Securities and Exchange Commission will require public companies to disclose material cybersecurity incidents shortly after they occur and describe how they are managing cyber risk, including at the board level. These rules are indented to provide investors with greater clarity on companies’ preparedness levels, but could increase liability for organizations and their directors and officers. To prepare for these new rules, public companies should work with compliance, legal and leadership teams to review cyber risk and security policies and practices while also considering the new rules’ insurance implications.

Download alert (opens a new window)