SEC Adopts Rules for Public Companies and Foreign Private Issuers on Cybersecurity Risk Management and Incident Disclosures

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted new rules (the “Rules”) that will require public companies and foreign private issuers to disclose material cybersecurity incidents within four business days of discovering such an incident, and provide information regarding their cybersecurity risk management, strategy, and governance on their annual reports. In February 2022, the SEC proposed separate but similar rules relating to cybersecurity risk management for registered investment advisers and registered investment companies (“Proposed Rules Regarding Investment Advisers and Investment Companies”).  The Proposed Rules Regarding Investment Advisers and Investment Companies have not been adopted as of the date of this blog.

Under the newly adopted Rules, certain reporting and disclosure requirements will become effective starting in December 2023. For additional details on the Rules, compliance obligations, and other considerations for public companies and foreign private issuers, please see an alert from our Corporate team. For more information about the Proposed Rules Regarding Investment Advisers and Investment Companies, please see our previous blog post.

If you have any questions about the Rules, the Proposed Rules Regarding Investment Advisers and Investment Companies, or the regulation of reporting companies generally, please feel free to contact us.


By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton

This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice.  Viewers should not rely on the posted materials as advice about specific legal problems.  Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved.  Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer.  If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.

Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.

For more information, please refer to our Terms of Use and Privacy Policy.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their