In this episode of The Consumer Finance Podcast, Chris Willis is joined by Kim Phan, a partner in our firm’s Privacy + Cyber practice, to discuss the Securities and Exchange Commission’s new cyber risk management and incident disclosure rules for publicly traded companies. The rules, already in effect, detail the information a public company must report following a cybersecurity incident and the timeline for reporting. Chris and Kim also discuss the ongoing reporting obligations for a public company related to a cyber incident after the initial reporting phase, how the rules apply when cyber incidents involve a third party’s system, and if the SEC has struck the right balance between informing investors versus the possibility of educating hackers on a company’s cybersecurity defenses. They also address the rule’s new requirement for annual disclosures about a company’s cybersecurity risk management, strategy, and governance.
Transcript: SEC’s New Cyber Rules for Publicly Traded Companies (PDF)