Market Trends 2024/25: Cybersecurity-Related Disclosures

This practice note provides an overview of cybersecurity risk disclosures and their implications for public companies. It discusses the potential reputational, financial, and operational harm resulting from cybersecurity breaches, as well as the associated litigation and regulatory costs. This note highlights the U.S. Securities and Exchange Commission’s focus on cybersecurity issues, tracing back to its initial guidance in 2011, and the adoption of new rules in 2023 aimed at enhancing and standardizing disclosures related to cybersecurity risks and incidents. These rules require public companies to report material cybersecurity incidents and risk management processes in a standardized manner. This note also covers the various sections where cybersecurity disclosures are required, including the Business section, Risk Factors section, and Management’s Discussion and Analysis section of annual reports. It emphasizes the importance of detailed discussions on updated risks, threat management processes, and ongoing cybersecurity litigations. Additionally, this note provides examples of cybersecurity disclosures under Item 1.05 of Form 8-K, highlighting the need for timely and accurate information about material cybersecurity incidents. This practice note concludes with practical advice on preparing and enhancing required disclosures on cybersecurity risks and incidents.

Read a preview below, and the full piece here.