On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force.  Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers.  As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred.  Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction. 

The rule also requires additional disclosures as part a company’s Annual Report on Form 10-K or Form 20-F regarding the company’s cybersecurity risk management and oversight.  These requirements include disclosures regarding:

  • processes a company maintains for assessing, identifying, and managing material risks from cybersecurity threats;
  • a description of the board of directors’ oversight of risks from cybersecurity threats; and
  • a description of management’s role in assessing and managing material risks from cybersecurity threats.

Now that the final rule has been published in the Federal Register, the compliance dates have been confirmed.  The new requirement to report material cybersecurity incidents on Form 8-K and Form 6-K will take effect for all companies other than smaller reporting companies on December 18, 2023.  This requirement will take effect for smaller reporting companies on June 15, 2024.  The new disclosures in Annual Reports on Form 10-K and Form 20-F will be required in reports for fiscal years ending on or after December 15, 2023.  All issuers will be required to tag Form 8-K and Form 6-K disclosures beginning December 18, 2024, and disclosures in Annual Reports on Form 10-K and Form 20-F will be required in reports for fiscal years ending on or after December 15, 2024.  Please refer to Covington’s detailed summary of the final regulation for addition information on this regulation, including exceptions, required form amendments, and next steps for companies to consider. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kerry Burke Kerry Burke

Kerry Shannon Burke has been helping public and private companies structure and execute capital markets and finance transactions and navigate the pitfalls of public company reporting and governance for over 25 years. Kerry regularly represents issuers, ranging from development stage ventures to large…

Kerry Shannon Burke has been helping public and private companies structure and execute capital markets and finance transactions and navigate the pitfalls of public company reporting and governance for over 25 years. Kerry regularly represents issuers, ranging from development stage ventures to large public companies, as well as underwriters and other institutional investors, with private and public debt and equity financings. She also has assisted public and private companies in structuring and negotiating financing transactions, including term loan and revolving credit facilities and acquisition financing.

Kerry is a “go-to” advisor for large public companies and their boards on corporate governance, SEC reporting, ESG, cybersecurity disclosure, succession planning and compliance program design. Kerry also assists private companies on governance and IPO readiness matters, including with respect to board and committee independence, internal and disclosure controls and similar matters.

Kerry has particular expertise counseling clients on the Investment Advisers Act and assists investment advisers, including private equity funds, hedge funds and venture capital funds, on various status questions and ongoing compliance matters.

Photo of David H. Engvall David H. Engvall

David Engvall advises public companies on a wide range of securities, capital markets, corporate governance, and related matters. In the capital markets area, he has handled a range of transactions, including registered and unregistered offerings of common and preferred stock, investment grade and…

David Engvall advises public companies on a wide range of securities, capital markets, corporate governance, and related matters. In the capital markets area, he has handled a range of transactions, including registered and unregistered offerings of common and preferred stock, investment grade and high yield debt securities, convertible securities, and trust units. He advises companies in a number of industries. David’s transactional experience also includes equity and debt tender offers, investments and M&A transactions.

David advises public company clients on a wide variety of disclosure, SEC compliance, transactional, and corporate governance matters. David is actively engaged in advising clients on a wide range of specific securities law topics, including executive compensation, beneficial ownership reporting, environmental, social and governance (“ESG”) reporting, and specialized disclosures such as those pertaining to conflict minerals. In the corporate governance area, he advises clients on topics such as Board committee charters, shareholder activism, management succession planning, and director independence.

Photo of Matthew Franker Matthew Franker

Matt Franker has twenty years of experience advising public and private companies, underwriters, and boards of directors in capital markets offerings, securities disclosure and financial reporting, including disclosures relating to non-GAAP financial measures, accounting for business combinations and other technical accounting issues, corporate…

Matt Franker has twenty years of experience advising public and private companies, underwriters, and boards of directors in capital markets offerings, securities disclosure and financial reporting, including disclosures relating to non-GAAP financial measures, accounting for business combinations and other technical accounting issues, corporate governance and ESG matters, mergers and acquisitions, and general corporate issues.

Matt has been recognized in Legal 500 for his work on capital markets transactions, and his capital markets experience includes advising companies and underwriters on registered and exempt offerings of common and preferred equity securities and investment grade, high-yield and convertible debt securities, exchange offers, debt tender offers, and consent solicitations. Matt has an extensive securities advisory practice focused on assisting public companies in a wide variety of disclosure, corporate governance, and compliance matters.

Prior to joining Covington, Matt served as an attorney-adviser with the U.S. Securities and Exchange Commission’s Division of Corporation Finance. While at the SEC, he worked on a wide variety of transactional and securities compliance matters, with an emphasis on the manufacturing, construction, and financial services industries. His experience at the SEC focused on IPOs, secondary offerings, mergers and acquisitions, exchange offers, going-private transactions, PIPEs and private equity financings and evaluating no-action requests to exclude shareholder proposals under Exchange Act Rule 14a-8.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Claire O'Rourke Claire O'Rourke

Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.

Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on…

Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.

Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on preparation for, response to, and legal obligations and risk mitigation after a cybersecurity incident. Claire also counsels clients on compliance with generally applicable and sector-specific federal and state privacy laws. She has assisted clients in drafting and reviewing privacy policies and terms of service, designing new products and services to comply with applicable privacy laws, and reviewing contract or other agreements for potential privacy issues.

Prior to practicing law, Claire was a congressional staffer and worked for a trade association that assists small businesses.