SEC Proposes New Rules for Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure

Partners Brian Breheny, Raquel Fox, Marc Gerber and William Ridgway review rules recently proposed by the SEC that are intended to enhance and standardize disclosures by public companies regarding cybersecurity risk management, strategy and governance, as well as cybersecurity incident reporting. Although SEC rules have long required companies to disclose information about material cybersecurity incidents, the proposed rules would impose a four-day deadline. Companies should consider whether their current cybersecurity incident response plans include adequate escalation and assessment protocols to meet that deadline.