The SEC has been focused on cybersecurity over the course of this summer, as evidenced by recent guidance from the SEC Staff and ongoing enforcement matters. The top five most significant developments include:
- In May, Erik Gerding, Director of the SEC's Division of Corporation Finance, released a statement addressing the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K, noting: "If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01)."
- In June, Erik Gerding released a second statement, addressing potential selective disclosure considerations in connection with cybersecurity incidents, noting: "There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD."
- Also in June, the Division of Corporation Finance published five new Exchange Act Form 8-K Compliance and Disclosure Interpretations addressing the determination of materiality and the timing of disclosures required pursuant to Item 1.05 of Form 8-K.
- The SEC's Division of Enforcement announced an enforcement action that alleged, in part, that a public company had failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurance that access to the company's information technology systems and networks was permitted only with management's authorization.
- The United States District Court of the Southern District of New York dismissed, in significant part, the SEC's first attempt to bring scienter-based securities fraud charges against a public company that suffered a significant cybersecurity incident, and to hold an individual personally responsible for alleged cybersecurity disclosure failures.
To understand the impact of these developments on your company, join a cross-disciplinary team of Goodwin's experts on September 10, 2024 for the webcast "Cybersecurity – Roundup on Recent SEC Developments and Looking Forward," as the panel covers a range of cybersecurity topics, including:
- The evolution and most recent examples of cybersecurity incident disclosures by public companies;
- A recap of developments on the cybersecurity enforcement front;
- The SEC's proposed cybersecurity risk management rules for regulated entities; and
- Tips for companies to keep pace with cybersecurity best practices and evolving regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.