The big picture: On July 26, 2023, the SEC adopted amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934.
Why it matters: The SEC’s view is that cybersecurity threats and incidents pose an ongoing risk to public companies, investors and market participants, as evidenced by the growing number and greater frequency of occurrences of attacks being launched by cyber criminals who are using increasingly sophisticated methods. The amendments are intended to help assure both timely and consistent information about cybersecurity risks and incidents.
Of particular note: Organizations will have a window of four business days for reporting incidents.
Go deeper: In this Flash Report, we summarize the SEC’s adopted amendments to its rules on cybersecurity disclosures and provide guidance to public companies that will need to comply with these rules as soon as December 2023.