New rules adopted by the Securities and Exchange Commission (SEC) that require companies to disclose any cybersecurity breach that they deem to be material and to make annual disclosures regarding their cybersecurity may potentially form the basis for SEC whistleblower claims related to the sufficiency of public disclosures.
The rules, passed on July 26, 2023, give companies four days to disclose cybersecurity incidents starting from when they determine that a breach is material. Disclosures can be delayed if the U.S. Attorney General determines that immediate disclosure would “pose a substantial risk to national security or public safety” and notifies the SEC in writing.
The new rules also require publicly traded companies to make annual disclosures about their cybersecurity risk management, strategy, and governance. The objective is to protect investors.“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a public statement in which he noted current inconsistencies in disclosures. He said that companies and investors both benefit when disclosures are made in a “more consistent, comparable, and decision-useful way.”
Incident-specific disclosures are required in Form 8-K beginning either 90 days after the rule’s publication in the Federal Register or on December 18, 2023, whichever is later. Smaller reporting companies will have an additional 180 days. Disclosures must set forth the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
Annual disclosures are required in Form 10-K reports covering fiscal years ending on December 15 or later. Companies must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, along with the material effects or reasonably likely material effects of risks from cybersecurity threats or previous cybersecurity incidents. They also must disclose information on their cybersecurity risk management and executive expertise in the field.
Foreign private issuers are required to make comparable disclosures.
If you are considering filing a cyber-related SEC whistleblower claim, please fill out our online form or contact us by phone at (267) 551-5240 or via e-mail at email@example.com for a free, confidential consultation.
Inclined Sleepers: The Hidden Danger in Your Nursery Feldman Shepherd product liability attorneys Alan M. Feldman, Daniel J. Mann and Edward S. Goldis discuss the dangers of inclined infant sleepers and why reports of 73 infant deaths and more than 1,000 incidents were allowed to mount for 14 years at the Consumer Product Safety Commission…
Aviation attorney/licensed pilot G. Scott Vezina explains the history of Boeing’s 737 MAX and takes listeners “inside the cockpit” to understand why the plane crashed twice, killing hundreds of people, before aviation authorities worldwide grounded it.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.