Policy Explainer

SEC Pushes Ahead with New Cyber Rules

At the tail end of July, the SEC finalized a proposed rule requiring incident and other disclosures. The new rule is already facing significant industry backlash with even the Chamber of Commerce slamming the regulatory body for “choosing speed over accuracy” in pushing out this final rule. In a “combative” open hearing, the SEC decided to move forward with the rule and is unlikely to backpedal, meaning covered entities will need to move fast to ensure compliance.

This new rule will require that all entities under the jurisdiction of the SEC report “material” cyber events within 4 days of discovery and will go into effect on September 5, 2023. The final rule does not differ significantly from the proposed rule that Consortium Networks covered back in May, but does back down from requiring boards to disclose cyber expertise and provides transition guidelines as companies move towards compliance.

While this rule is not one that requires certain cybersecurity safeguards to be put in place, it does play on an organization’s fear of being the outsider among peers. Requiring all of this information to be reported to the SEC will lead to it being considered in investment decisions and, thus, provides sufficient incentive to ensure not only compliance to the disclosure requirements, but also bolster cybersecurity programs to avoid the need for disclosure at all.