New SEC Rule Increases Focus on Cybersecurity for Public Companies

Jane Norberg, Securities Enforcement & Litigation partner, and Government Contracts and National Security partner Ronald Lee were quoted in the Law360 article, “SEC Rules Making Cyber Disclosures Public May Raise Risk.” The article discusses the U.S. Securities and Exchange Commission’s recently finalized cybersecurity rule which requires public companies to publicly reveal significant data breaches within four business days and make annual disclosures about their cybersecurity risk management strategies and practices.

The SEC has listed cybersecurity as one of its top enforcement priorities, making companies focus on the issue. Lee told Law360 that the SEC’s rule pushes public companies to move “cybersecurity processes and personnel even more into the mainstream” of their operations and governance.

Norberg, former Senior Officer in the Division of Enforcement and Chief of the SEC’s Office of the Whistleblower, told Law360 that the “threshold issue” for most public companies will be determining which incidents will “trigger the four-day reporting requirement,” especially amidst the growing number of cybersecurity incidents each day.

» Read the full article (subscription required).