SEC Delays Finalized Cybersecurity Rules until Fall 2023

Based on recent changes to its rulemaking agenda, the Securities Exchange Commission has postponed the much anticipated release of its final rules for Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure for public companies, until at least October 2023.

The new proposed rules were first released in March 2022 for public comments. They largely focus on enhancing cybersecurity requirements for public companies including:

• Four-day disclosure timeframe for “material” cybersecurity incidents;
• Requirements around Board governance of cybersecurity;
• Increased disclosures on Board cybersecurity expertise;
• Enhanced disclosures on risk management, oversight, and cybersecurity; and;
• Aggregation requirements for incidents that are non-material individually.

The SEC first released these proposed rules for comment in March 2022 and closed the comment period in May 2022. It temporarily re-opened the comment period between October 7, 2022 and November 1, 2022 due to a technical issue with the SEC’s website. Before this delay, it was widely expected that the final rules would be released this past spring.