Partner Erin Martin spoke with Law360 about final cybersecurity disclosure rules from the US Securities and Exchange Commission (SEC) requiring public companies to disclose material cybersecurity incidents and their cybersecurity risk management, strategy, and governance procedures. Erin noted that the SEC has long signaled the potential for disclosure obligations for both cyber risks and incidents.
"So what this rulemaking is doing is codifying that position that cyber events are material and disclosure is warranted on a prompt basis, and that mandate does make it easier for the commission to establish where someone has or has not met the basic requirement of disclosure for material events and creates the potential for elevated enforcement," Erin said.