Cyber security banner

SEC Cybersecurity Rules for Public Companies Finalized

SEC Cyber Rules for Public Companies

The Securities and Exchange Commission (SEC) has finalized rules that will, among other things, require public companies to disclose ‘material’ cybersecurity incidents within 4 days.

The Commission’s rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies were first proposed in March of 2022 in an effort to protect investors and lend further transparency to the market.

Final Cybersecurity Rules for Public Companies

Among the key requirements laid out in the final rules, which were adopted following a 3-2 vote along party lines:

  • Disclosure of ‘material’ cyber incidents: Companies must disclose cybersecurity breaches and incidents within four (4) business days of determining the incident poses or posed a ‘material’ impact to the company’s finances. Disclosures will be required via a new section of Form 8-K.
  • Reporting on cybersecurity risk management and governance programs: Companies must disclose details on their cybersecurity risk management programs – including how they assess, identify and manage cybersecurity risks.
  • Disclosure of management’s role and expertise: Public companies will be required to describe how their board of directors oversees cybersecurity risk management as well as management’s role and expertise with regard to cybersecurity.

The SEC did not follow through on a proposed requirement to mandate a cyber expert on a company’s board of directors.

The final rules will become effective 30 days following publication of the release in the Federal Register. Cyber incident disclosure rules will be effective beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.

Separately, the SEC has also proposed cyber risk management rules for registered investment advisers (RIAs) and funds. Final rules are expected to pass the Commission in October 2023.

What You Should Do Now to Enable SEC Compliance

Public Companies

The compliance window for public companies is narrow, which means if you have not started preparing, you are already behind. In addition to gathering your internal leaders to review the requirements, you should begin reviewing and updating your existing risk management plans and identifying gaps that need to be remediated. If you need to schedule a vulnerability assessment or would like to discuss managed cybersecurity services, contact our team.

Registered Investment Firms

And if you’re an RIA or other SEC-registered investment fund and awaiting final guidance from the Commission on their cybersecurity risk management rules (expected in October), be sure to read the Key Takeaways from our SEC Cybersecurity Webinar, featuring Stradley Ronon and Omega Systems, which outline the key proposals that RIAs should start planning for and thinking through in order to enable future SEC compliance.


Omega Systems SEC Compliance Readiness Services

Omega Systems has the proven cybersecurity and compliance expertise to help guide your firm through the SEC compliance management process. Whether you need a comprehensive risk assessment and benchmarking analysis, automated data discovery and vulnerability scanning, professional vCISO advisory and guidance or a combination of all three, our team can help. Learn more about our SEC Cybersecurity Compliance Services and contact our team to get started.

Previous Article7 Emerging Cybersecurity Challenges Posed by ChatGPT
Next Article Hedge Fund Cybersecurity Tips
Your Website Title SEC Cybersecurity Rules for Public Companies Finalized | Omega