Takeaways From the SEC’s Cybersecurity Risk Management Report

The SEC finalized its disclosure rules for cybersecurity risk management, strategy, governance, and incidents on July 26^th. A proposed requirement that all boards of publicly-traded companies must have cybersecurity expertise on call was not adopted. Opponents noted a lack of expertise in the marketplace that would make it difficult to comply. However, boards must now describe how they oversee risk from cybersecurity threats, and management’s role in assessing those risks, in their annual Form 10-K. In their Form 8-K, they must disclose “any cybersecurity incident that they experience that is determined to be material” and describe “material aspects” of the incident within four business days of making that determination. There are rules about materiality, among them, if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision.