Ragen: The SEC’s Cybersecurity Rules
The U.S. Securities and Exchange Commission (SEC) released new rules in 2023 that standardize, clarify and enhance businesses’ obligations to disclose information about cybersecurity incidents and their policies and practices for managing cybersecurity threats and risk. In an article for OneTrust DataGuidance, Shook Associate Jacob Ragen gave an overview of the rules, outlining who is affected by them and what new obligations businesses face.
In the article, titled “USA: The SEC’s Cybersecurity Rules,” Ragen said the rules require businesses to report material cybersecurity incidents within four days after they determine a cybersecurity incident was material. SEC said businesses should use the same standard for determining whether a cybersecurity incident is material that the agency uses for other materiality determinations under securities law.
“More specifically, a cybersecurity incident is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the total mix of information made available’ to the shareholders or prospective investors,” he said. “Some factors that a business can consider when making their materiality determination may include data theft, loss of assets or intellectual property, damage to the business's reputation, or overall loss of business value and financial impact on the business.”
Read more in OneTrust DataGuidance >>
In the article, titled “USA: The SEC’s Cybersecurity Rules,” Ragen said the rules require businesses to report material cybersecurity incidents within four days after they determine a cybersecurity incident was material. SEC said businesses should use the same standard for determining whether a cybersecurity incident is material that the agency uses for other materiality determinations under securities law.
“More specifically, a cybersecurity incident is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the total mix of information made available’ to the shareholders or prospective investors,” he said. “Some factors that a business can consider when making their materiality determination may include data theft, loss of assets or intellectual property, damage to the business's reputation, or overall loss of business value and financial impact on the business.”
Read more in OneTrust DataGuidance >>
