SEC's New Mandatory Cybersecurity Disclosure Rules: Maintaining Compliance and Avoiding Enforcement Risks
Enhanced Disclosures Regarding Cybersecurity Risk Management, Strategy, Governance and Incident Reporting
Course Details
- smart_display Format
On-Demand
- signal_cellular_alt Difficulty Level
Intermediate
- work Practice Area
Corporate Law
- event Date
Tuesday, October 24, 2023
- schedule Time
1:00 p.m. ET./10:00 a.m. PT
- timer Program Length
90 minutes
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
This CLE webinar will discuss the SEC's recent adoption of rules requiring public companies to more immediately disclose cybersecurity incidents and provide annual disclosures regarding the company's cybersecurity risk management strategy and cybersecurity governance. The panel will examine the new rule's requirements and provide practical guidance for maintaining compliance and avoiding enforcement risks.
Mr. Desai is a cybersecurity, data privacy, and white collar defense and government investigations attorney. He has extensive experience in handling cyber intrusions and data breaches, trade secret thefts, emerging technology matters and complex white collar investigations. With a computer science and physics background, Mr. Desai is highly skilled and knowledgeable to advise companies on novel issues at the intersection of law, technology and data privacy. He is also a Certified Information Privacy Professional in the United States (CIPP/US) with the International Association of Privacy Professionals (IAPP). Mr. Desai is a former federal prosecutor in the Cyber and National Security Section and the Economic Crimes Section at the U.S. Attorney's Office for the Western District of Pennsylvania.
Mr. Koesters is counsel in the firm’s Investigations, Enforcement, and White Collar Group. With over a decade of experience in the Department of Justice and Department of Defense, he advises clients on internal investigations and government enforcement actions in a variety of industries. As a Certified Information Privacy Professional in the U.S. (CIPP/US) and a former national security advisor for Army Cyber Command, Mr. Koesters works with clients on emerging issues involving data privacy regulations, cybersecurity requirements, and data breach incidents.
On July 26, 2023, the SEC adopted final rules that generally require public companies to disclose material cybersecurity incidents within four business days after determining the incident was material. Also, companies must now provide information regarding their cybersecurity risk management, strategy, and governance on an annual basis. The final rules are effective Sept. 5, 2023.
Since 2011, the SEC has encouraged public companies to file a Form 8-K upon the occurrence of a material cybersecurity incident. The final rules turn the guidance into a mandate for Form 8-K. Foreign private issuers (FPIs) already have an obligation to disclose material information on Form 6-K that they disclose offshore, on a stock exchange, or to their security holders, and the new rules simply add material cybersecurity incidents to the list of material information included in the form.
Under the new rules, public companies and FPIs will be required to include additional cybersecurity risk management disclosures in Forms 10-K and 20-F. As part of these disclosures, companies must describe: their processes for assessing, identifying, and managing material risks from cybersecurity threats; the board of directors' oversight of risks from cybersecurity threats; management's cybersecurity expertise and its role in assessing and managing material risks from cybersecurity threats; and whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition.
Listen as our authoritative panel provides an overview of the new rules and practical guidance for implementing policies and procedures to comply with the new requirements. The panel will also address the potential compliance and enforcement implications of the new rules.
- Overview of the SEC's new cybersecurity disclosure rules
- Cybersecurity incident disclosure requirement in Form 8-K or Form 6-K
- Updates on previously reported cybersecurity incidents required in amended Form 8-K or Form 20-F
- New cybersecurity governance disclosure requirements in annual reports on Form 10-K and Form 20-F
- Compliance deadlines
- Practical guidance and takeaways for implementing policies and procedures to address the new rules
- Potential implications of the public disclosure of a company's cybersecurity incidents
The panel will address these and other key issues:
- What are the new Form 8-K filing requirements?
- What are the new cybersecurity governance disclosure requirements for annual reports on Forms 10-K and 20-F?
- What are the changes to Regulation S-K and how should companies disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats?
- What are the corporate governance matters relating to the board of directors' and management's oversight of cybersecurity matters?
- What are the implications of these new rules on how companies will respond to future cyber incidents?
