Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
10 Steps Legal Departments Should Be Taking to Prepare for the SEC's Newly Adopted Cybersecurity Risk Governance Rule for Public Companies
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the Securities Exchange Act of 1934. The final rules passed by a narrow 3-2 vote, which is representative of the compromise required to enact these much commented on rules that will be burdensome, especially for public companies with underdeveloped cybersecurity programs. The adoption of these SEC cybersecurity rules demonstrates that cybersecurity is a top corporate risk today and that the SEC is arming investors with information to better evaluate it. In Commissioner Caroline Crenshaw's statement on the SEC rules' adoption, she noted that, "cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone." Since cybersecurity risks and the cost of resolving cyber incidents have increased alongside the digitalization of operations, the growth of remote work and the increasing reliance on third-party service providers for information technology services, the SEC has determined investors require more consistent, comparable, decision-useful and transparent disclosures to evaluate a company's exposure to cybersecurity risks and incidents as well as a company's ability to manage and mitigate those risks.
After much deliberation and compromise, below are the key requirements of the SEC's new cybersecurity rules:
- New Form 8-K Item 1.05 requires the disclosure of any cybersecurity incident determined to be material within four business days of the materiality determination with a description of the pertinent aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition, operations and reputational harm.
- Consistent with traditional securities law, an incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would significantly alter the "total mix" of information available.
- The four-business day disclosure requirement is triggered on the date on which the company determines that a cybersecurity incident is material, not the date the incident is discovered. An instruction to Form 8-K provides that a materiality determination must be made "without unreasonable delay" after discovery of a cybersecurity incident.
- The disclosure may be delayed if the attorney general notifies the SEC after determining that immediate disclosure would pose a substantial risk to national security or public safety.
- New Regulation S-K Item 106 requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Item 106 also requires companies to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
- Form 6-K and Form 20-F have also been amended to include similar requirements for foreign private issuers (nongovernmental companies incorporated outside of the U.S. doing business in the U.S.).
The incident disclosure requirements in Form 8-K Item 1.05 go into effect the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023. Smaller reporting companies (companies with a public float of less than $250 million or less than $100 million in annual revenues) enjoy an additional 180 days until the incident disclosure requirements go into effect. With respect to Regulation S-K Item 106, companies must provide disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
New York's Latest Cybersecurity Commitment
On Aug. 9, 2023, Gov. Kathy Hochul introduced New York's inaugural comprehensive cybersecurity strategy. In sum, the plan aims to update government networks, bolster county-level digital defenses, and regulate critical infrastructure.
The DOJ's Corporate Enforcement Policy: One Year Later
The DOJ's Criminal Division issued three declinations since the issuance of the revised CEP a year ago. Review of these cases gives insight into DOJ's implementation of the new policy in practice.
How AI Has Affected PR
When we consider how the use of AI affects legal PR and communications, we have to look at it as an industrywide global phenomenon. A recent online conference provided an overview of the latest AI trends in public relations, and specifically, the impact of AI on communications. Here are some of the key points and takeaways from several of the speakers, who provided current best practices, tips, concerns and case studies.
Use of Deferred Prosecution Agreements In White Collar Investigations
This article discusses the practical and policy reasons for the use of DPAs and NPAs in white-collar criminal investigations, and considers the NDAA's new reporting provision and its relationship with other efforts to enhance transparency in DOJ decision-making.