Here are some of the new reports from law firms about the SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules (see a useful observation from Woodruff Sawyer after the list):
- SEC Adopts Comprehensive Cybersecurity Disclosure Requirements (link: https://www.cooley.com/news/insight/2023/2023-08-02-sec-adopts-comprehensive-cybersecurity-disclosure-requirements): This report by law firm Cooley LLP discusses the new cybersecurity disclosure requirements adopted by the U.S. Securities and Exchange Commission (SEC) on July 21, 2023. The new rules require public companies to disclose material cybersecurity risks and incidents, as well as their policies and procedures for managing cybersecurity risks.
- SEC Adopts New Cybersecurity Disclosure Rules (link: https://www.fenwick.com/insights/publications/sec-adopts-new-cybersecurity-disclosure-rules): This report by law firm Fenwick & West LLP provides an overview of the new SEC cybersecurity disclosure rules. The report discusses the requirements for disclosure of material cybersecurity risks and incidents, as well as the requirements for disclosure of a company’s cybersecurity risk management program.
- SEC Adopts New Rules on Cybersecurity Disclosure for Public Companies (link: https://www.gibsondunn.com/sec-adopts-new-rules-on-cybersecurity-disclosure-for-public-companies/): This report by law firm Gibson Dunn & Crutcher LLP provides a detailed analysis of the new SEC cybersecurity disclosure rules. The report discusses the requirements for disclosure of material cybersecurity risks and incidents, as well as the requirements for disclosure of a company’s cybersecurity risk management program.
- Although Scaled Back, the SEC’s Newly Adopted Cybersecurity Disclosure Rules Will Have a Significant Impact on Public Companies (link: https://www.goodwinlaw.com/en/insights/publications/2023/07/alerts-finance-dpc-although-scaled-back-the-secs-newly-adopted-cybersecurity): This report by law firm Goodwin Procter LLP discusses the new SEC cybersecurity disclosure rules, which were scaled back from an earlier proposal. The report discusses the requirements for disclosure of material cybersecurity risks and incidents, as well as the requirements for disclosure of a company’s cybersecurity risk management program.
- SEC Adopts Rules on Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure by Public Companies (link: https://www.jenner.com/en/news-insights/publications/sec-adopts-rules-on-cybersecurity-risk-management-strategy-governance-and-incident-disclosure-by-public-companies): This report by law firm Jenner & Block LLP discusses the new SEC cybersecurity disclosure rules, which require public companies to disclose their cybersecurity risk management strategy, governance, and incident disclosure practices.
- SEC Adopts Rules for Cybersecurity Risk Management (link: https://www.skadden.com/insights/publications/2023/07/sec-adopts-rules-for-cybersecurity-risk-management): This report by law firm Skadden, Arps, Slate, Meagher & Flom LLP discusses the new SEC cybersecurity disclosure rules, which require public companies to disclose their cybersecurity risk management program.
- SEC Adopts Cybersecurity Disclosure Rules for Public Companies (link: https://www.wsgr.com/en/insights/sec-adopts-cybersecurity-disclosure-rules-for-public-companies.html): This report by law firm White & Case LLP discusses the new SEC cybersecurity disclosure rules, which require public companies to disclose material cybersecurity risks and incidents, as well as their policies and procedures for managing cybersecurity risks.
Among the useful observations are these from Woodruff Sawyer (there are more at this link): “The SEC asserts that the rule is not perspective as to what specific processes a company should have: There is a materiality qualifier and the SEC elected not to include a list of enumerated categories (e.g., privacy law violations, intellectual property theft, etc.). Rather, its intention is for the disclosure to match the company’s view of its own material risks.
The SEC, however, did include a non-exclusive list of required disclosure items and uses the fig leaf of disclosure to pretend it is not being prescriptive about processes. For example, the SEC now requires that companies describe “whether and how”:
Cyber risk management has been integrated into the rest of a company’s risk management process
The company has processes to oversee and identify cyber risks stemming from its use of third-party providers
The company relies on third parties in connection with any of its relevant processes.
No company would say “No, we are not doing any of these things,” thus effectively making at least the first two bullets essentially mandatory for public companies.”