Ep. 11 - New Year, New Rules (Part 2): SEC’s New Cybersecurity Disclosure Rules Take Effect

Happy New Year! In Part 2 of 2 of our dual- New Years' release of Privacy Chats with Rachel and John, we delve into the recently adopted SEC rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. 

With the rules in effect from December 18th and reporting requirements starting on December 25th, we explore the impact on investors and the motivation behind the SEC's decision. SEC Chair Gary Gensler emphasizes the materiality of cybersecurity incidents to investors, drawing attention to specific breaches that significantly affected shareholder value. 

Our discussion covers oversight disclosure requirements for publicly traded companies, detailing the annual disclosure of their cybersecurity program in their 10k, as well as per-incident disclosure obligations on their 8-K forms within four business days. The rule's formal intent is to provide timely transparency to shareholders about risks affecting financial performance, reputation, or compliance. While proponents believe it offers "decision-useful" information, opponents express concerns about potential disclosure during ongoing investigations. 

• December 14th statement by Erik Gerding: https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214#:~:text=In%20July%20of%20this%20year,management%2C%20strategy%2C%20and%20governance
• SEC.gov’s Official Press Release: https://www.sec.gov/news/press-release/2023-139
• Official Text: https://www.sec.gov/files/rules/final/2023/33-11216.pdf