BREAKING NEWS (and happy summer!): Yesterday, the SEC adopted rules that significantly increase disclosure around a company's cybersecurity incidents, risk management, and strategy. The stickiest point is that companies must determine whether any cyber incidents are material, and if they are, they have four days to disclose the incident on an 8-K. How much time can you take for that? Good question, but you probs need to be sure you aren't wasting any time and are contemporaneously documenting your analysis in case the SEC asks for it (because I wouldn't be surprised if they do). But take heart, you can get a (temporary) reprieve in disclosure so long as you persuade none other than the US Attorney General to provide a written note (and please let me know how that convo goes, lol). Add cyber breaches to the list of materiality analyses that SEC teams need to have on their radar (which includes human capital and climate risk under EXISTING disclosure rules). Check out the blog using the link below.
The SEC also signaled it's about to ask more questions to China-based companies and their connection to the Chinese government or the Chinese Communist Party. The China-based, SEC registrant drama continues...
And last, I've been thinking about AI for financial reporting A LOT lately. We put out a blog you'll want to check out!
~Cybersecurity blog
~AI blog
Cybersecurity fact sheet
China-specific sample letter
[This was cross-posted from LinkedIn]
------------------------------
Steve Soter
Executive Advisor
SEC. ESG & SOX Pro Groups
------------------------------