On July 26, 2023, a divided SEC adopted, by a 3-2 vote, final rules for cybersecurity disclosures. The final rules are based on proposed rules the agency first introduced in March 2022. The rules require companies to disclose material cybersecurity incidents they experience, and also to disclose on an annual basis material information regarding their cybersecurity risk management and governance. The rules will have a significant impact on reporting companies’ disclosure practices and could present a challenge for some companies. A copy of the final cybersecurity disclosure rules can be found here. The SEC’s July 26, 2023, press release about the final cybersecurity disclosure rules can be found here. The SEC’s two-page fact sheet about the new rules can be found here.Continue Reading SEC Adopts Final Cybersecurity Disclosure Rules
On March 9, 2022, the SEC finally released its long-anticipated updated cybersecurity disclosure requirements. The proposed rules, inclusive of specifications both for incident reporting and for risk management and governance disclosure, were adopted by a 3-1 vote and are now subject to a public reporting period. The new rules, which the Commission’s press release says are “designed to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents,” underscore the Commission’s emphasis on cybersecurity reporting and disclosure issues.
The SEC’s March 9, 2022 press release about the proposed new rules can be found here. The Commission’s two-page “fact sheet” about the new rules can be found here. The Commission’s 129-page proposing release can be found here. Cydney Posner’s March 9, 2022 post on the Cooley law firm’s PubCo blog about the proposed rules can be found here.
Continue Reading SEC Proposes New Rules for Cybersecurity Disclosure and Incident Reporting Rules
Increased stakeholder expectations have made corporate governance more important than ever, with important implications for companies and their executives. The following guest post examines the ways that sound corporate governance structures and practices can help position companies to be able to defend themselves in the event of litigation. This paper was written by Suzanne H. Gilbert is a member of the Board of Advisors of Grace & Co. Consultancy, Inc.; H. Stephen Grace Jr., Ph.D. President of H.S. Grace & Company, Inc.; Joseph P. Monteleone, a partner with Weber Gallagher Simpson Stapleton Fires and Newby LLP law firm; and S. Lawrence Prendergast is a member of the Board of Advisors of Grace & Co. Consultancy, Inc. and is Chairman of the Turrell Fund. A version of this article previously was published in the American Bar Association’s Business Law Today. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. The authors’ article follows.
Continue Reading Guest Post: Stress Testing Your Corporate Governance Structure
In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.
But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards
It is now well known and understood that cybersecurity is a board level issue. This generalization is true not just for companies in the United States but for all companies around the world. In the following guest post, Joel Pridmore, Asia Pacific Underwriting Manager, Specialty, Corporate Insurance Partner, Munich Re Group, Saket Modi, CEO of Lucideus Technologies Pvt Ltd, and Richa Shukla, Partner, Khaitan Legal Associates take a look at this issue, with a particular focus on concerns for Indian companies. I would like to thank the authors for allowing me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ guest post.
Continue Reading Guest Post: Cyber Risk: A Board Level View
In this day and age, the members of the boards of directors of most companies understand that cybersecurity issues are both important and should be a board-level priority. But while these issues and responsibilities are now well-recognized, many boards still struggle to translate these issues into action. In the following guest post from John Reed Stark, President, John Reed Stark Consulting LLC, and David R. Fontaine, President, Corporate Risk Holdings take a look at these challenges and propose that in addressing their cybersecurity-related responsibilities boards should draw upon the same governance procedures they have longed used for with respect to financial accounting and reporting. The authors suggest well-advised boards will take this approach in light of the very real, difficult to control and ever increasing enterprise threat that cyber-attack represent for their organizations.
Continue Reading Guest Post: Boards of Directors and Cybersecurity: Applying Lessons Learned From 70 Years of Financial Reporting Oversight