Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
10 Steps Legal Departments Should Be Taking to Prepare for the SEC's Newly Adopted Cybersecurity Risk Governance Rule for Public Companies
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the Securities Exchange Act of 1934. The final rules passed by a narrow 3-2 vote, which is representative of the compromise required to enact these much commented on rules that will be burdensome, especially for public companies with underdeveloped cybersecurity programs. The adoption of these SEC cybersecurity rules demonstrates that cybersecurity is a top corporate risk today and that the SEC is arming investors with information to better evaluate it. In Commissioner Caroline Crenshaw's statement on the SEC rules' adoption, she noted that, "cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone." Since cybersecurity risks and the cost of resolving cyber incidents have increased alongside the digitalization of operations, the growth of remote work and the increasing reliance on third-party service providers for information technology services, the SEC has determined investors require more consistent, comparable, decision-useful and transparent disclosures to evaluate a company's exposure to cybersecurity risks and incidents as well as a company's ability to manage and mitigate those risks.
After much deliberation and compromise, below are the key requirements of the SEC's new cybersecurity rules:
- New Form 8-K Item 1.05 requires the disclosure of any cybersecurity incident determined to be material within four business days of the materiality determination with a description of the pertinent aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition, operations and reputational harm.
- Consistent with traditional securities law, an incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would significantly alter the "total mix" of information available.
- The four-business day disclosure requirement is triggered on the date on which the company determines that a cybersecurity incident is material, not the date the incident is discovered. An instruction to Form 8-K provides that a materiality determination must be made "without unreasonable delay" after discovery of a cybersecurity incident.
- The disclosure may be delayed if the attorney general notifies the SEC after determining that immediate disclosure would pose a substantial risk to national security or public safety.
- New Regulation S-K Item 106 requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Item 106 also requires companies to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
- Form 6-K and Form 20-F have also been amended to include similar requirements for foreign private issuers (nongovernmental companies incorporated outside of the U.S. doing business in the U.S.).
The incident disclosure requirements in Form 8-K Item 1.05 go into effect the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023. Smaller reporting companies (companies with a public float of less than $250 million or less than $100 million in annual revenues) enjoy an additional 180 days until the incident disclosure requirements go into effect. With respect to Regulation S-K Item 106, companies must provide disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Bankruptcy Sales: Finding a Diamond In the Rough
There is no efficient market for the sale of bankruptcy assets. Inefficient markets yield a transactional drag, potentially dampening the ability of debtors and trustees to maximize value for creditors. This article identifies ways in which investors may more easily discover bankruptcy asset sales.
Judge Rules Shaquille O'Neal Will Face Securities Lawsuit for Promotion, Sale of NFTs
A federal district court in Miami, FL, has ruled that former National Basketball Association star Shaquille O'Neal will have to face a lawsuit over his promotion of unregistered securities in the form of cryptocurrency tokens and that he was a "seller" of these unregistered securities.
Why So Many Great Lawyers Stink at Business Development and What Law Firms Are Doing About It
Why is it that those who are best skilled at advocating for others are ill-equipped at advocating for their own skills and what to do about it?
A Lawyer's System for Active Reading
Active reading comprises many daily tasks lawyers engage in, including highlighting, annotating, note taking, comparing and searching texts. It demands more than flipping or turning pages.
Blockchain Domains: New Developments for Brand Owners
Blockchain domain names offer decentralized alternatives to traditional DNS-based domain names, promising enhanced security, privacy and censorship resistance. However, these benefits come with significant challenges, particularly for brand owners seeking to protect their trademarks in these new digital spaces.