Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
10 Steps Legal Departments Should Be Taking to Prepare for the SEC's Newly Adopted Cybersecurity Risk Governance Rule for Public Companies
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the Securities Exchange Act of 1934. The final rules passed by a narrow 3-2 vote, which is representative of the compromise required to enact these much commented on rules that will be burdensome, especially for public companies with underdeveloped cybersecurity programs. The adoption of these SEC cybersecurity rules demonstrates that cybersecurity is a top corporate risk today and that the SEC is arming investors with information to better evaluate it. In Commissioner Caroline Crenshaw's statement on the SEC rules' adoption, she noted that, "cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone." Since cybersecurity risks and the cost of resolving cyber incidents have increased alongside the digitalization of operations, the growth of remote work and the increasing reliance on third-party service providers for information technology services, the SEC has determined investors require more consistent, comparable, decision-useful and transparent disclosures to evaluate a company's exposure to cybersecurity risks and incidents as well as a company's ability to manage and mitigate those risks.
After much deliberation and compromise, below are the key requirements of the SEC's new cybersecurity rules:
- New Form 8-K Item 1.05 requires the disclosure of any cybersecurity incident determined to be material within four business days of the materiality determination with a description of the pertinent aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition, operations and reputational harm.
- Consistent with traditional securities law, an incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would significantly alter the "total mix" of information available.
- The four-business day disclosure requirement is triggered on the date on which the company determines that a cybersecurity incident is material, not the date the incident is discovered. An instruction to Form 8-K provides that a materiality determination must be made "without unreasonable delay" after discovery of a cybersecurity incident.
- The disclosure may be delayed if the attorney general notifies the SEC after determining that immediate disclosure would pose a substantial risk to national security or public safety.
- New Regulation S-K Item 106 requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Item 106 also requires companies to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
- Form 6-K and Form 20-F have also been amended to include similar requirements for foreign private issuers (nongovernmental companies incorporated outside of the U.S. doing business in the U.S.).
The incident disclosure requirements in Form 8-K Item 1.05 go into effect the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023. Smaller reporting companies (companies with a public float of less than $250 million or less than $100 million in annual revenues) enjoy an additional 180 days until the incident disclosure requirements go into effect. With respect to Regulation S-K Item 106, companies must provide disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Why So Many Great Lawyers Stink at Business Development and What Law Firms Are Doing About It
Why is it that those who are best skilled at advocating for others are ill-equipped at advocating for their own skills and what to do about it?
Bankruptcy Sales: Finding a Diamond In the Rough
There is no efficient market for the sale of bankruptcy assets. Inefficient markets yield a transactional drag, potentially dampening the ability of debtors and trustees to maximize value for creditors. This article identifies ways in which investors may more easily discover bankruptcy asset sales.
The DOJ's Corporate Enforcement Policy: One Year Later
The DOJ's Criminal Division issued three declinations since the issuance of the revised CEP a year ago. Review of these cases gives insight into DOJ's implementation of the new policy in practice.
A Lawyer's System for Active Reading
Active reading comprises many daily tasks lawyers engage in, including highlighting, annotating, note taking, comparing and searching texts. It demands more than flipping or turning pages.
Risks of “Baseball Arbitration” in Resolving Real Estate Disputes
“Baseball arbitration” refers to the process used in Major League Baseball in which if an eligible player's representative and the club ownership cannot reach a compensation agreement through negotiation, each party enters a final submission and during a formal hearing each side — player and management — presents its case and then the designated panel of arbitrators chooses one of the salary bids with no other result being allowed. This method has become increasingly popular even beyond the sport of baseball.