The SEC recently implemented new rules obligating public companies to disclose material cybersecurity incidents and provide annual disclosures about their cybersecurity risk management, strategy, and governance. SEC Chair Gary Gensler emphasized that incidents like cyberattacks can have a significant impact on investors.

Under the new rules, companies must report any material cybersecurity incidents on Form 8-K, Item 1.05, including details about the incident's nature, scope, timing, and material impact. The report is typically due four business days after determining the incident's materiality, with rare exceptions for national security concerns.

Regulation S-K Item 106 also requires companies to describe their processes for identifying, managing, and assessing material risks from cybersecurity threats. They must also outline the board of directors' oversight of cybersecurity risks and management's role and expertise in dealing with such risks, to be included in their annual report on Form 10-K.

Information governance best practices can aid public companies in complying with these rules effectively:

Data Inventory and Classification: Companies need a clear understanding of their data assets to manage cybersecurity incidents. Information governance helps in creating a comprehensive data inventory and classifying data based on sensitivity to prioritize protection.

Incident Response Planning: Having a well-defined incident response plan is crucial. Information governance establishes a robust framework, including roles, responsibilities, and communication protocols aligned with disclosure requirements.

Data Retention and Destruction Policies: Proper data retention and destruction policies are essential for complying with the disclosure requirements. Information governance ensures that relevant data is retained while unnecessary data is securely disposed of.

Cybersecurity Risk Assessment: Information governance aids in conducting thorough risk assessments, identifying potential cybersecurity threats, and quantifying their material impact, which informs the required disclosures.

Board Oversight and Management Expertise: Demonstrating board involvement in cybersecurity oversight is essential. Information governance facilitates documenting board oversight practices and management's expertise in handling cybersecurity threats.

By implementing information governance best practices, public companies can strengthen their cybersecurity posture, ensure accurate reporting, and demonstrate sound governance practices in compliance with the SEC rules.