With the July 2023 adoption by the U.S. Securities and Exchange Commission (SEC) of enhanced disclosures of cybersecurity incidents and risk management, we updated our March 2023 review of current reporting practices to see where things stand and to help provide guidance to companies.

The new rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure has five areas of disclosure focus:

• Incident Disclosure within 4 Business Days
• Cybersecurity Risk Management Process and Procedures
• Material Impacts of Cybersecurity Incidents and Risk
• Board Cybersecurity Oversight Role
• Management Cybersecurity Role and Expertise.

Among our key findings is that 50% of breach disclosures happened after four business days.