Act now: SEC adopts cybersecurity and disclosure rules for public companies

Navigating SEC cybersecurity disclosure rules – essential actions for public companies

Public companies now face new cybersecurity disclosure requirements from the Securities and Exchange Commission (SEC), which voted last week to approve new cybersecurity rules requiring the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy, and governance by public companies, including foreign private issuers.

These SEC rules will have a major impact on all publicly traded companies in the U.S.

Any public company doing business in the United States will need to assess its cybersecurity to make sure it complies with the new rules. Depending on their cyber preparedness, some companies may need to make significant adjustments or changes to their cybersecurity strategy.

Mazars can help you prepare now

The new requirements require public companies to, among other things,

  • Disclose a material cybersecurity incident within four business days on Form 8-K 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later. Smaller reporting companies are given an additional 180 days to comply.
  • Describe its processes for assessing, identifying and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations or financial condition.
  • Disclose its cybersecurity governance practices, including the board's oversight of cybersecurity risk and management's process to manage, monitor, detect, mitigate and remediate cybersecurity incident on Form 10-K or 20-F for the fiscal year ending on or after December 15, 2023.

How Mazars can help you prepare now:

  • Complete assessment of existing disclosure controls and procedures
  • Create, or enhance, a cybersecurity framework and policies including penetration testing
  • Implement an incident response program
  • Prepare organizations on proper disclosure forms
  • Internal training and education

Act now for what’s next – Contact us today to speak with one of our cybersecurity specialists to discuss these rules and how Mazars can help you prepare.

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.