left-caret

PH Privacy

SEC Cyber Rules Published in Federal Register

August 04, 2023

By Sean Donahue,Brad Bondi,Aaron Charfoos,Kenneth P. Herzinger,Spencer Francis Young,& Jeremy Berkowitz

The SEC’s Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure Rules were officially published in the Federal Register on August 4, 2023 and go into effect on September 5, 2023.

This officially affects the timing of when companies will need to start complying with the new rules around disclosures of material cybersecurity incidents. When the SEC first released the rules last week, it stated that companies would need to start making these disclosures by the later of two dates, 1) 90 days after publication in the Federal Register or 2) December 18, 2023. Given the date of publication, the rules published in the Federal Register now clearly state that companies will need to start to comply with the incident disclosure rules on December 18. Small reporting companies will have an additional 270 days and must begin making such disclosures on June 15, 2024.

Additionally, companies whose fiscal years end on/or after December 15, 2023 will be required to begin making disclosures on their annual reports regarding cybersecurity governance.

As discussed in our analysis last week, it is imperative that companies begin preparing for compliance with these new rules immediately, including ensuring that cybersecurity is integrated into your company’s compliance regime and building/reinforcing clearly defined escalation processes.  

Contributors

Image: Sean Donahue
Sean Donahue

Partner, Corporate Department


Image: Brad Bondi
Brad Bondi

Partner, Litigation Department


Image: Aaron Charfoos
Aaron Charfoos

Partner, Litigation Department


Image: Kenneth P. Herzinger
Kenneth P. Herzinger

Partner, Litigation Department


Image: Spencer Francis Young
Spencer Francis Young

Senior Practice Group Attorney


Image: Jeremy Berkowitz
Jeremy Berkowitz

Senior Privacy Director and Deputy Chief Privacy Officer


Practice Areas

Data Privacy and Cybersecurity


For More Information

Image: Sean Donahue
Sean Donahue

Partner, Corporate Department

Image: Brad Bondi
Brad Bondi

Partner, Litigation Department

Image: Aaron Charfoos
Aaron Charfoos

Partner, Litigation Department

Image: Kenneth P. Herzinger
Kenneth P. Herzinger

Partner, Litigation Department

Image: Spencer Francis Young
Spencer Francis Young

Senior Practice Group Attorney

Image: Jeremy Berkowitz
Jeremy Berkowitz

Senior Privacy Director and Deputy Chief Privacy Officer