Compliance Briefing — July 26, 2023
The U.S. SEC adopted final cybersecurity disclosure rules requiring public companies to report material cyber incidents within four business days and enhance annual risk management reporting.
Executive briefing: On July 26, 2023, the U.S. Securities and Exchange Commission approved Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules. Registrants must furnish Form 8-K Item 1.05 within four business days of determining a material cyber incident and include detailed annual disclosures about cyber risk oversight and management.
Immediate compliance priorities
- Materiality processes. Formalize cross-functional materiality assessments to support timely Form 8-K filings.
- Disclosure controls. Update disclosure committees, internal control frameworks, and escalation paths to integrate cybersecurity information.
- Board reporting. Prepare governance disclosures covering board oversight, management expertise, and risk management integration.
Control alignment
- Incident response. Align response playbooks and tabletop exercises with the four-business-day reporting obligation.
- Documentation. Maintain detailed records of cyber risk assessments, policies, and third-party management to substantiate annual reporting.
- Legal coordination. Integrate counsel review for privilege considerations and law enforcement delay requests permitted by the rule.
Enablement moves
- Train executives and boards on new disclosure expectations before compliance dates beginning December 2023.
- Deploy tooling to track incident lifecycle data, response timelines, and regulatory communications.
- Monitor SEC staff guidance and interpretive updates on materiality determinations.
Sources
- SEC press release on final cybersecurity disclosure rules
- SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Zeph Tech helps issuers stand up SEC-ready cyber disclosure controls, materiality workflows, and board reporting packs.