In March 2023, we wrote the article, Why ALL Health Care Organizations Must Care About SEC Proposed Cybersecurity Rule Changes, which highlighted the U.S. Securities and Exchange Commission’s (SEC’s) March 9, 2022 announcement of its proposed rules related to cybersecurity requirements (i.e., risk management, corporate governance, and incident disclosures).
While testifying in front of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Gary Gensler stated, “[t]he proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.” The wait is over. On July 26, 2023, the SEC released its final rule related to cybersecurity. Specifically, the final rule requires registrants and foreign issuers alike “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”
This article highlights some of the key areas that health care sector participants—public, private, and not-for-profit—should consider in relation to enterprise risk management and policies and procedures.
Before those of you who don't represent clients whose shares are registered with the SEC conclude this article doesn't apply to those companies, NOT SO FAST. One of the major takeaways of this article -- which is brief and to the point -- is that there is enough potential liability to go around.
The article is available to AHLA members only, which is reason enough to join if you haven't already!