The Security and Exchange Commission has acknowledged a fundamental change for enterprise operations today: cybersecurity risk is business risk.
New SEC rules mandate businesses disclose material cybersecurity incidents and outline governance procedure, raising the bar for what businesses disclose to investors and when.
Questions linger, including what counts as material, but as enforcement of the rules takes effect later this year, themes around how and when businesses will disclose security incidents will emerge.
Cybersecurity Dive is closely tracking the SEC’s rules and their ramifications. We’ve rounded up the story thus far, but if you have a question about the rules or an idea for us to pursue, email us at [email protected].