United States of America: Implemented SEC Rules on Cybersecurity Disclosure by Public Companies requiring registrants to disclose incidents and information regarding risk management
Compare with different regulatory event:
Description
Implemented SEC Rules on Cybersecurity Disclosure by Public Companies requiring registrants to disclose incidents and information regarding risk management
On 5 September 2023, the Securities and Exchange Commission (SEC) implemented Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Registrants would have to disclose cybersecurity incidents they determine to be material and provide a description of the incident. Furthermore, an annual report with a description of processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the effects of risks from cybersecurity threats and previous cybersecurity incidents, must be provided to the SEC. Comparable disclosures must be made by foreign private issuers.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body
Complete timeline of this policy change
Hide details
2022-03-09
in consultation
2022-05-09
processing consultation
2023-07-26
adopted
2023-09-05
in force
2023-12-19
in force