Laws & RegulationsSEC Cybersecurity Rules
In Forcefinancial17 C.F.R. Parts 229, 232, 239, 240, 249
SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules
Also known as: SEC Cybersecurity Rules
The SEC's 2023 cybersecurity rules require public companies to disclose material cybersecurity incidents within 4 business days of determining materiality, and to provide annual disclosures about their cybersecurity risk management, strategy, and governance. The rules aim to give investors consistent, comparable information about how companies manage cybersecurity risks.
Jurisdiction
United States (Federal)
Regulator
Securities and Exchange Commission
Effective
9/5/2023
Sector
financial
Full Text / Summary
The rules create two primary disclosure obligations: (1) Incident Disclosure — Form 8-K Item 1.05 requires disclosure of material cybersecurity incidents within 4 business days. Companies must describe the material aspects of the nature, scope, timing, and material impact or reasonably likely material impact of the incident. DOJ can delay disclosure for national security reasons. (2) Annual Disclosure — Form 10-K requires description of processes for assessing, identifying, and managing material risks from cybersecurity threats; whether cybersecurity risks have materially affected or are reasonably likely to materially affect the company; board oversight of cybersecurity risk; and management role in assessing and managing cybersecurity risks. The rules do not require disclosure of specific technical information about vulnerabilities.