Navigating the U.S. Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules
Overview
The U.S. Securities and Exchange Commission (SEC) released the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules in August 2023, requiring registrants to provide and report timely information about their cyber risk so that investors can make informed investment decisions. With the rules in place, the SEC expects that companies will apply materiality considerations for cybersecurity incidents as they would be applied regarding any other risk or event—through the lens of the reasonable investor. This article by Marsh outlines the recommended steps to help determine materiality moving forward.