TBC Blog New SEC Rules on Cybersecurity, Risk Management, & Disclosure

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) expanded its cybersecurity and cyberattack reporting requirements for publicly traded companies. The rules take effect September 5, 2023, with compliance dates staggered between 2023 and 2024, and are dependent upon company size. Publicly traded companies are required to have a cybersecurity strategy in place and disclose their ability to identify, assess, contain, and manage cybersecurity risk. In addition, if victimized by a cyberattack of "material" importance, the new rules mandate that the company must report the attack to the SEC within four (4) business days.