This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

A Fresh Take

Insights on M&A, litigation, and corporate governance in the US.

| 1 minute read

SEC’s Cybersecurity Disclosure Rules Delayed Until October 2023

On June 13, 2023, the Securities and Exchange Commission released the Spring 2023 Regulatory Agenda, which delayed the anticipated date that final rules would be issued for two cybersecurity rules until at least October 2023.

Cybersecurity Disclosure Rules for Public Companies. March 2022 post, the Commission proposed rules requiring public companies to disclose a cybersecurity incident within four business days of determining the incident to be material, and second, by requiring ongoing disclosures about a company’s cybersecurity governance, risk management, and strategy. Foreign private issuers also have certain Form 6-K disclosure obligations, which the Commission has proposed include “cybersecurity incidents” as well as obligations to disclose material changes, additions or updates on previously reported cybersecurity incidents. From the Commission’s latest timetable, final action is not anticipated on these proposed rules until at least October 2023.

As previously reported in our

It is difficult to predict what may be driving the delay, as the Commission had originally aimed for April 2023 to finalize the rules. In the aftermath of the release, amongst many comments on the proposal, the FBI publicly disagreed with a requirement in the proposal that obliged reporting of material incidents within the four days even where an active law enforcement investigation could be compromised as a result of such reports. Beyond this issue, there could be any number of debates on particular features that still need to be addressed.

Cybersecurity Rules for Investment Advisers, Registered Investment Companies, and Business Development Companies.rules for cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies. These proposed rules require such regulated companies to adopt and implement written cybersecurity policies and procedures, to report certain significant cybersecurity incidents to the Commission, and to maintain certain records. From the Commission’s latest timetable, final action is not anticipated on these proposed rules until at least October 2023.

In February 2022, the Commission also proposed


cybersecurity, data protection