The US Securities and Exchange Commission (SEC) adopted new cybersecurity disclosure rules that significantly impact public companies in late 2023. These rules require companies to disclose their cybersecurity risk management, governance, and any material cybersecurity incidents within four days of determining their materiality.

Throughout 2024, we saw the SEC adopt some aggressive enforcement positions—notably in the R.R. Donnelley and SolarWinds cases. However, recent court decisions in the SolarWinds case and the prospect of a Republican-controlled SEC give hope for a less risky regulatory environment around cybersecurity for public companies and their CISOs.

But less risky does not mean there is no risk. After all, the cybersecurity rules still require timely notice and proper disclosure of cybersecurity events, ensuring that cybersecurity will continue to be a relevant topic in the boardroom.