On July 26, 2023, the SEC (U.S. Securities and Exchange Commission) approved new rules regarding cybersecurity risk management, strategy, governance, and incident disclosure by public companies.
The new rule requires publicly traded companies to provide details of a cyber incidents within four business days of identifying the breach. Four days may seem a bit aggressive, but some countries have much stricter guidelines. For example, India has a six-hour breach notification rule.
The SEC also added Regulation S-K Item 106, which requires public companies to disclose information regarding their cybersecurity risk management, strategy, and governance annually in the registrant’s Form 10-K.
If you do not have a well-documented incident response and communication plan, now is the time to begin working on one! Our IT specialists can assist you in complying with these new regulations. You can find more information on the new rules at https://www.sec.gov/news/press-release/2023-139.