The Securities and Exchange Commission (SEC) has finalized rules that will, among other things, require public companies to disclose ‘material’ cybersecurity incidents within 4 days.
The Commission’s rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies were first proposed in March of 2022 in an effort to protect investors and lend further transparency to the market.
Among the key requirements laid out in the final rules, which were adopted following a 3-2 vote along party lines:
The SEC did not follow through on a proposed requirement to mandate a cyber expert on a company’s board of directors.
The final rules will become effective 30 days following publication of the release in the Federal Register. Cyber incident disclosure rules will be effective beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
Separately, the SEC has also proposed cyber risk management rules for registered investment advisers (RIAs) and funds. Final rules are expected to pass the Commission in October 2023.
The compliance window for public companies is narrow, which means if you have not started preparing, you are already behind. In addition to gathering your internal leaders to review the requirements, you should begin reviewing and updating your existing risk management plans and identifying gaps that need to be remediated. If you need to schedule a vulnerability assessment or would like to discuss managed cybersecurity services, contact our team.
And if you’re an RIA or other SEC-registered investment fund and awaiting final guidance from the Commission on their cybersecurity risk management rules (expected in October), be sure to read the Key Takeaways from our SEC Cybersecurity Webinar, featuring Stradley Ronon and Omega Systems, which outline the key proposals that RIAs should start planning for and thinking through in order to enable future SEC compliance.
Omega Systems has the proven cybersecurity and compliance expertise to help guide your firm through the SEC compliance management process. Whether you need a comprehensive risk assessment and benchmarking analysis, automated data discovery and vulnerability scanning, professional vCISO advisory and guidance or a combination of all three, our team can help. Learn more about our SEC Cybersecurity Compliance Services and contact our team to get started.