10 Steps Legal Departments Should Be Taking to Prepare for the SEC’s Newly Adopted Cybersecurity Risk Governance Rule for Public Companies

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the Securities Exchange Act of 1934. The final rules passed by a narrow 3-2 vote, which is representative of the compromise required to enact these much commented on rules that will be burdensome, especially for public companies with underdeveloped cybersecurity programs. The adoption of these SEC cybersecurity rules demonstrates that cybersecurity is a top corporate risk today and that the SEC is arming investors with information to better evaluate it. In Commissioner Caroline Crenshaw’s statement on the SEC rules’ adoption, she noted that, “cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone.” Since cybersecurity risks and the cost of resolving cyber incidents have increased alongside the digitalization of operations, the growth of remote work and the increasing reliance on third-party service providers for information technology services, the SEC has determined investors require more consistent, comparable, decision-useful and transparent disclosures to evaluate a company’s exposure to cybersecurity risks and incidents as well as a company’s ability to manage and mitigate those risks.