Cybersecurity incident disclosure
Cybersecurity incident disclosure requirements for the Energy, Power & Commodities sector are now layered across multiple mandatory frameworks, not voluntary guidance. The Federal Energy Regulatory Commission's Critical Infrastructure Protection reliability standards and the U.S. Securities and Exchange Commission's December 2023 cyber incident disclosure rule together create overlapping reporting obligations for public energy companies and grid operators. Compliance teams are currently reconciling those two clocks: FERC's 24-hour grid security emergency notification window against the SEC's four-business-day Form 8-K trigger.
Watch
- SEC Rule 33-11216: does your incident meet the 'material' threshold under current board-adopted definitions?
- FERC CIP-008-6 incident response plan updates due; audit cycle active in 2024-2025
- European Network of Transmission System Operators cross-border disclosure expectations for APAC-linked energy entities
- Vendor and third-party OT provider contracts: many lack language satisfying the SEC's supply-chain disclosure expectations
- State public utility commission cyber-reporting mandates diverging from federal timelines in California and New York
Recent material activity in Energy, Power & Commodities
Active monitoring in place across Energy, Power & Commodities. Material developments related to cybersecurity incident disclosure will appear here as they are published.