SEC Requires Cybersecurity Incident and Oversight Disclosures

Last week the Securities and Exchange Commission adopted rules requiring public companies to notify shareholders of any “material” cybersecurity incident within four business days of determining that the incident rises to that level. The SEC’s rules also require regulated companies to describe in their annual 10-K forms what processes they use for assessing, identifying, and managing material risks from cybersecurity threats, as well as what expertise and oversight their board of directors employs regarding risks from cybersecurity threats. EPIC submitted a letter comment in the SEC’s rulemaking urging the Commission to ensure that consumers receive timely notification so that they can protect themselves from the downstream harms that often occur after a data breach, including non-financial harms. EPIC’s letter applauded the SEC for its attention to data security and anticipated that companies would improve their data security practices to prevent the incidents that trigger the newly-required disclosures.