Sign up to save your podcasts
Or
Share SEC Adopts Robust New Cybersecurity Disclosure Rules
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
SEC Adopts Robust New Cybersecurity Disclosure Rules
In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices.
You’ll hear him discuss:
- The SEC's adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
- One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality.
- This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
- Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
- Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
- The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.
KEY QUOTES:
“You can't just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” - Michael Volkov
“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” - Michael Vokov
“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” - Michael Volkov
Resources
Michael Volkov on LinkedIn | Twitter
The Volkov Law Group
View all episodes
By Michael Volkov
4.9
4242 ratings
In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices.
You’ll hear him discuss:
- The SEC's adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
- One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality.
- This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
- Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
- Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
- The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.
KEY QUOTES:
“You can't just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” - Michael Volkov
“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” - Michael Vokov
“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” - Michael Volkov
Resources
Michael Volkov on LinkedIn | Twitter
The Volkov Law Group
More shows like Corruption Crime & Compliance
View all
The Moth
27,011 Listeners
Amicus With Dahlia Lithwick | Law, justice, and the courts
3,530 Listeners
WSJ What’s News
4,420 Listeners
FCPA Compliance Report
20 Listeners
The Daily
113,121 Listeners
Up First from NPR
56,944 Listeners
RopesTalk
15 Listeners
The Atlantic Interview
14 Listeners
Innovation in Compliance with Tom Fox
17 Listeners
Great Women in Compliance
56 Listeners
The Intelligence from The Economist
2,592 Listeners
Compliance into the Weeds
12 Listeners
Strict Scrutiny
5,832 Listeners
The Ezra Klein Show
16,525 Listeners
Main Justice
7,014 Listeners