On July 26, 2023, the U.S. Securities and Exchange Commission adopted the highly anticipated cybersecurity risk management, strategy, governance and incident disclosure rules. These SEC rules introduce several cybersecurity compliance obligations for public companies, including time-sensitive incident reporting and governance disclosure requirements.

Public companies should promptly review and, if appropriate, amend their disclosure controls, procedures and processes to ensure that cybersecurity incidents are timely reported to personnel who are responsible for determining whether to make public disclosures under applicable securities laws. In addition, incident response plans should be reviewed to ensure that cybersecurity incidents are appropriately documented and investigated, escalated to the incident response teams and timely assessed for materiality and regulatory disclosure obligations.

Key Compliance Requirements