News & Insights

SEC Adopts Cyber Risk Management Rule for Public Companies

What Happened?

On July 26th, 2023, the SEC adopted rules requiring public companies “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance”.

Public companies will be required to disclose any cybersecurity incident, deemed material, and the nature, scope, timing, and impact under an Item 1.05 Form 8-K within four business days of determining the incident is material.

Under a new Regulation S-K Item 106, public companies will be required to state their procedures for assessing, identifying, and managing material risk from cybersecurity threats. This item will also be used to describe board oversight and management’s role in managing risks from cybersecurity threats.

The adopted rule aligns with Gurbir Grewal’s third principle on cyber enforcement, companies need to review and update cybersecurity policies on a specific cadence to remain up to date with evolving threats. Grewal further stated, “What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective.”

Next Steps:

The rule does not apply to RIAs but may indicate what’s to come for RIAs and further highlights the SEC’s focus on cybersecurity.

The proposed cyber risk management rule for RIAs will require a significant amount of time and enhancement to existing cybersecurity practices. Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the proposed rules. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.