SEC’s Cybersecurity Disclosure Rules Are Here. Is Your Company Ready to Comply?

Companies are facing more attacks on their information systems. And, as their cyber risk skyrockets, the SEC has stepped in with new regulations, telling businesses what to disclose about these incidents — and requiring detailed disclosures on cyber risk management more broadly. With the deadline for compliance fast approaching, businesses are scrambling to mitigate their legal risk and comply with regulations that some say may be an overreach.

​

Join The Sidley Podcast host and Sidley partner, Sam Gandhi, as he speaks with two of the firm’s thought leaders on these issues — Sonia Barros and Colleen Brown. Sonia is a partner in Sidley’s Capital Markets group and co-leader of the firm’s Public Companies practice. Colleen is a partner in the firm’s practices in Privacy and Cybersecurity, Commercial Litigation and Disputes, Crisis Management and Strategic Response, and Insurance. Together, they discuss the SEC’s newly adopted regulations for disclosing information on cyber risk and how companies and their boards can best comply.

Fenwick report: SEC Proposes New Rules to Enhance Reporting of Cybersecurity Issues

The proposed rules, which were distributed on March 9, 2022, set forth in Release No. 33-11038 (the Rule Proposal), would require current reporting on Form 8-K of material cybersecurity incidents, as well as periodic disclosures about a company’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing such policies and procedures, and the board’s expertise along with its role in providing oversight of cybersecurity risks. 

The Top Cybersecurity Principles Every Board Member Must Know

Cyberattacks are the terrorism of today, hitting societies, commercial companies, and even individual citizens with data theft, money theft, ransomware, disruption of operations, public shaming, and loss of trust. The list of potential damage is long, and perpetrators are hiding in the dark web in jurisdictions outside of our control. The question is not whether you will be breached, but when or if it already happened without your knowledge. When a company’s digital assets are compromised, what would have cost one dollar of prevention will cost up to a thousand dollars of damage control.