PublicationThe U.S. Securities and Exchange Commission (“SEC”) has adopted new cybersecurity disclosure rules to require current disclosure about material cybersecurity incidents and periodic disclosures of: (i) registrants’ processes to assess, identity, and manage material cybersecurity risks, (ii) management’s role in assessing and managing material cybersecurity risks, and (iii) the board of directors’ oversight of cybersecurity risks.
New 8-K Item 1.05
Form 8-K has been amended to include a new Item 1.05, which requires disclosure to the SEC if a registrant experiences a cybersecurity incident that is determined by the registrant to be material. The registrant will be required to describe the material aspects of the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. The Item 1.05 8-K is required to be filed within four business days after the registrant concludes that the incident was material. The SEC’s adopting release noted that it will expect doubts about materiality to be resolved in favor of protecting investors. There is a provision to allow delayed reporting if the U.S. Attorney General concludes that disclosure would pose a substantial risk to national security or public safety. SEC reporting companies (other than smaller reporting companies) will be required to make Item 1.05 disclosures beginning December 18, 2023, while smaller reporting companies will need to start complying on June 24, 2024. The same disclosure requirements apply to foreign private issuers on Form 6-K.
Additional Disclosure in Annual Reports
Beginning with the first annual report for a fiscal year ending on or after December 15, 2023, registrants will be required to report the following information required by new Item 1.06 of Regulation S-K:
- the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes;
- whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and, if so, how;
- a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats; and
- a description of the board of directors’ oversight of risks from cybersecurity threats including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or such committee is informed about such risks.
How We Can Help
Michael Best’s Privacy and Cybersecurity team can assist with identifying and assessing whether a cyber security incident has occurred and if it is material, including a written description that needs to be included in the report. Thereafter, the Securities & Capital Markets team at Michael Best has attorneys that can guide companies through preparation and filing of the new current and periodic disclosure requirements with the SEC. Related PeoplePreview Attorney's BiographyDaniel assists companies with privacy and cybersecurity matters, from proactive approaches to breach response. He began his career with Michael Best as a law clerk, joining the firm as an associate attorney after obtaining his law degree from the University of Denver Sturm College of Law. Preview Attorney's BiographyRyan is a paralegal in the firm’s Corporate Practice Group. He assists Michael Best attorneys with a variety real estate, corporate, and data privacy matters. He conducts property and tax assessment research, performs due diligence, ALTA/NSPS land survey analysis, title and policy review, evaluation of agricultural foreclosures, and manages closings for commercial, residential, and agricultural real estate transactions throughout the country. Ryan L. Habeck* *Names that appear with an asterisk indicate a Michael Best professional not admitted to practice law. Preview Attorney's BiographyChelsea counsels clients on data privacy and security matters including building compliance frameworks under applicable state, federal, and international privacy laws. Chelsea also advises on data security best practices and responding to data breaches.
Before joining Michael Best, Chelsea was an Assistant Attorney General Fellow in the Colorado Attorney General's Office. There, she enforced Colorado’s data security laws, supported the Colorado Privacy Act rulemaking, and drafted priv ... Preview Attorney's BiographyGuy counsels clients on privacy and data security matters including compliance with U.S. and E.U. data protection and privacy laws, the development of company privacy programs, and responding to and mitigating data breaches. Preview Attorney's BiographyLiz counsels clients on privacy and data security matters including compliance with applicable data privacy regulations and implementation of proactive cybersecurity measures. She also helps guide clients through all aspects of data security incidents. Liz holds the Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals. Preview Attorney's BiographyClients across multiple industries turn to Michael to coordinate their more complex business transactions. They value his quick assessment of issues and their implications, as well as his creative yet effective solutions to the many issues that arise during the course of a transaction.Michael’s practice focuses on mergers and acquisitions, buyout transactions, securities regulation, and venture capital investment transactions. Preview Attorney's BiographyClients from a variety of industries turn to Kevin for guidance and counsel on a broad range of matters pertaining to securities. He has extensive experience in public and private securities offerings, broker-dealer compliance (particularly regarding resales of restricted securities), and regulatory enforcement defense with the U.S. Securities Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and state securities regulators.
|