On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force.  Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers.  As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred.  Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction. 

The rule also requires additional disclosures as part a company’s Annual Report on Form 10-K or Form 20-F regarding the company’s cybersecurity risk management and oversight.  These requirements include disclosures regarding:

  • processes a company maintains for assessing, identifying, and managing material risks from cybersecurity threats;
  • a description of the board of directors’ oversight of risks from cybersecurity threats; and
  • a description of management’s role in assessing and managing material risks from cybersecurity threats.

Now that the final rule has been published in the Federal Register, the compliance dates have been confirmed.  The new requirement to report material cybersecurity incidents on Form 8-K and Form 6-K will take effect for all companies other than smaller reporting companies on December 18, 2023.  This requirement will take effect for smaller reporting companies on June 15, 2024.  The new disclosures in Annual Reports on Form 10-K and Form 20-F will be required in reports for fiscal years ending on or after December 15, 2023.  All issuers will be required to tag Form 8-K and Form 6-K disclosures beginning December 18, 2024, and disclosures in Annual Reports on Form 10-K and Form 20-F will be required in reports for fiscal years ending on or after December 15, 2024.  Please refer to Covington’s detailed summary of the final regulation for addition information on this regulation, including exceptions, required form amendments, and next steps for companies to consider. 

Tags: Cybersecurity, Financial Institutions
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kerry Burke Kerry Burke

Strategic Counsel for Capital Markets, Corporate Governance, and Securities Advisory

Kerry Shannon Burke delivers board-level guidance and transaction execution that drives business results for public and private companies. With more than 25 years of experience advising on capital markets transactions, corporate governance and…

Strategic Counsel for Capital Markets, Corporate Governance, and Securities Advisory

Kerry Shannon Burke delivers board-level guidance and transaction execution that drives business results for public and private companies. With more than 25 years of experience advising on capital markets transactions, corporate governance and public company reporting and compliance matters, Kerry is trusted by boards and the C-suite to translate legal complexity into business clarity, anticipate regulatory risk, and deliver measurable outcomes that support strategic growth and governance priorities.

Capital Markets and Financing Expertise

Kerry structures and closes high-value transactions—including IPOs, private placements, debt and equity financings and acquisition financing—for issuers ranging from emerging growth companies to Fortune 500 enterprises, as well as underwriters and institutional investors. Her approach emphasizes speed, precision and risk mitigation to protect enterprise value.

Corporate Governance Leadership

Boards and senior management rely on Kerry for actionable guidance on SEC and ESG reporting, governance strategy, cybersecurity disclosure, succession planning and compliance program design. She also assists private companies with IPO readiness, advising on board independence, internal controls and disclosure frameworks that withstand regulatory scrutiny.
Specialized Investment Advisers Act Counsel

Kerry also is an authority on the Investment Advisers Act, advising private equity, hedge and venture capital funds and financial institutions on status determinations and ongoing compliance, ensuring alignment with evolving regulatory standards.

Read more about Kerry BurkeEmail
Show more Show less
Photo of David H. Engvall David H. Engvall

David Engvall advises public companies on a wide range of securities, capital markets, corporate governance, and related matters. In the capital markets area, he has handled a range of transactions, including registered and unregistered offerings of common and preferred stock, investment grade and…

David Engvall advises public companies on a wide range of securities, capital markets, corporate governance, and related matters. In the capital markets area, he has handled a range of transactions, including registered and unregistered offerings of common and preferred stock, investment grade and high yield debt securities, convertible securities, and trust units. He advises companies in a number of industries. David’s transactional experience also includes equity and debt tender offers, investments and M&A transactions.

David advises public company clients on a wide variety of disclosure, SEC compliance, transactional, and corporate governance matters. David is actively engaged in advising clients on a wide range of specific securities law topics, including executive compensation, beneficial ownership reporting, environmental, social and governance (“ESG”) reporting, and specialized disclosures such as those pertaining to conflict minerals. In the corporate governance area, he advises clients on topics such as Board committee charters, shareholder activism, management succession planning, and director independence.

Read more about David H. EngvallEmail
Show more Show less
Photo of Matthew Franker Matthew Franker

Matt Franker has over 20 years of experience advising public and private companies, underwriters, and boards of directors in capital markets offerings, securities disclosure and financial reporting, including disclosures relating to non-GAAP financial measures, accounting for business combinations and other technical accounting issues…

Matt Franker has over 20 years of experience advising public and private companies, underwriters, and boards of directors in capital markets offerings, securities disclosure and financial reporting, including disclosures relating to non-GAAP financial measures, accounting for business combinations and other technical accounting issues, corporate governance and sustainability matters, mergers and acquisitions, and general corporate issues.

Matt has an extensive securities advisory practice focused on assisting public companies in the wide variety of disclosure, corporate governance, and compliance matters that they face. Matt also has significant capital markets experience advising companies and underwriters on registered and exempt offerings of common and preferred equity securities and investment grade, high-yield, convertible, secured and subordinated debt securities, exchange offers, debt tender offers, and consent solicitations. Matt has been recognized in Legal 500 for his work on capital markets transactions.

Prior to joining Covington, Matt served as an attorney-adviser with the U.S. Securities and Exchange Commission’s Division of Corporation Finance. While at the SEC, he worked on a wide variety of transactional and securities compliance matters, with an emphasis on the manufacturing, construction, and financial services industries. His experience at the SEC focused on IPOs, secondary offerings, mergers and acquisitions, exchange offers, going-private transactions, PIPEs and private equity financings and evaluating no-action requests to exclude shareholder proposals under Exchange Act Rule 14a-8.

Read more about Matthew FrankerEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Claire O'Rourke Claire O'Rourke

Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.

Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on…

Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.

Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on preparation for, response to, and legal obligations and risk mitigation after a cybersecurity incident. Claire also counsels clients on compliance with generally applicable and sector-specific federal and state privacy laws. She has assisted clients in drafting and reviewing privacy policies and terms of service, designing new products and services to comply with applicable privacy laws, and reviewing contract or other agreements for potential privacy issues.

Prior to practicing law, Claire was a congressional staffer and worked for a trade association that assists small businesses.

Read more about Claire O'RourkeEmail
Show more Show less