Executive Summary
Our Securities, Securities Litigation, and Privacy, Cyber &
Data Strategy teams highlight the key aspects of the Securities and
Exchange Commission’s latest sweeping changes to its
cybersecurity reporting rules for public companies subject to the
Securities Exchange Act.
- Requiring a report on Form 8-K within four business days of
determining that a material cybersecurity incident has
occurred - No extension for a law enforcement delay or ongoing
investigation - Reporting when immaterial cybersecurity incidents become
material in the aggregate - Disclosing risk management and governance procedures and any
cybersecurity expertise on the board
On March 9, 2022, the Securities and Exchange Commission (SEC)
released the latest in a series of proposed rules aimed at
bolstering the cybersecurity-related disclosures of regulated
entities, this time directed at public companies that are subject
to the reporting requirements of the Securities Exchange Act of
1934, as amended. If enacted, the sweeping new rules would require covered
public companies to, among other things:
- Report material cybersecurity incidents on Form 8-K within…
