This practice note provides guidance on the disclosure of cybersecurity risks and incidents that public companies should include in their offering materials and periodic reports filed with the Securities and Exchange Commission (SEC). The practice note explains the SEC’s focus and rulemaking activities on cybersecurity issues, such as the 2018 interpretive guidance on disclosing material cybersecurity risks and incidents, and the 2023 final rules on enhancing and standardizing cybersecurity disclosure. The practice note also discusses some examples of cybersecurity-related disclosures in different sections of the documents, such as the risk factors, business, and management’s discussion and analysis (MD&A) sections. The examples highlight how companies may provide detailed and specific information on the nature and magnitude of cybersecurity risks or prior incidents, the actual or potential harms and costs of a cyber breach, the legal and regulatory requirements and implications, and the policies and procedures to address cybersecurity issues. Finally, the practice note offers some practical advice on how to prepare and enhance the required disclosures on cybersecurity risks and incidents, taking into account the materiality, completeness, and accuracy of the information, as well as the balance between providing sufficient details and safeguarding sensitive information.

See a preview of the piece here, and the complete piece here.