SEC Disclosure Rules for Cybersecurity

Well, we’ve all known it was coming. The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, Final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”).

The SEC has monitored registrants’ disclosure practices as cybersecurity risk has evolved. The final cybersecurity rules evolved from several events over the years, including disclosure and commission level guidance.

• In 2011 guidance was issued by the SECs division of corporate finance.
• In 2018 Commission level disclosure rule guidance was released.
• In August 2021, eight firms were sanctioned by the SEC for failures in their cybersecurity policies and procedures.
  • These sanctions prompted the SEC in March 2022, to propose cybersecurity rules for public companies.
• Final rules were issued in July 2023.

This session is dedicated to providing an overview of the new disclosure rules and discuss areas where organization’s need to be prepared to ensure appropriate compliance with the rules.