SEC Cybersecurity Incident Disclosure Report

Paul Hastings released its SEC Cyber Incident Disclosure Report today, providing a unique look at how public companies have responded to new incident disclosure requirements. The Securities Exchange Commission (SEC) approved new rules in July 2023 around Cybersecurity Risk Management, Strategy, Governance and Incident Disclosures, requiring public companies to disclose material cybersecurity incidents that impact their organizations within 96 hours of determining that they are “material.” This report discusses analysis and trends noted in these disclosures, including:

• The amount of time between when a public company is made aware of an incident and when it files a disclosure with the SEC;
• Which individuals are filing the required SEC disclosures on behalf of their public companies;
• What information is being included in these disclosures and how public companies and the SEC are determining “materiality” as it relates to an incident;
• Which industries have been most affected by the new SEC rules; and
• How threat actors have chosen to exploit the new rules to blackmail public companies.

The Paul Hastings Data Privacy and Cybersecurity team regularly advises on compliance with cybersecurity regulations. We are happy to answer any questions related to the report, or how your organization may be affected by these rules.