SEC finalizes cybersecurity rules
Risk management and strategy
Registrants must provide in their Form 10-K a description of their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, including whether:
- The described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes, and how.
- The registrant engages assessors, consultants, auditors or other third parties in connection with such processes.
- The registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant – including its business strategy, results of operations, or financial condition and if so, how.
Governance
The final rules require disclosures about the board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats.
