The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and the Securities Act of 1933.
Kari M. Rollins is a partner in the Intellectual Property Practice Group and Office Managing Partner of the New York office.