SEC adopts final rule on cybersecurity risk

The Securities and Exchange Commission today adopted a final rule requiring publicly traded companies to disclose material cybersecurity incidents they experience within four business days. The rule also requires companies to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.

According to the rule, registrants must describe their processes, if any, for the assessment, identification and management of material risks from cybersecurity threats. Companies must describe their board’s and management’s oversight of risks from cybersecurity threats. They also must disclose any cybersecurity incident they experience that is determined to be material, as well as its nature and possible effects. The public disclosure may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

Last year, the American Bankers Association and other associations raised concerns with the proposal, saying the rule could potentially harm investors by prematurely publicizing a company’s vulnerabilities.