Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that two previously-proposed cyber rules might not be approved until October 2023 (although the agenda’s timeframe is an estimate and the rules could be finalized sooner, or later). The proposed rules in question address disclosure requirements regarding cybersecurity governance and cybersecurity incidents at publicly traded companies and registered investment advisers and funds.

  • Cybersecurity Risk Governance Rule for Public Companies: Proposed in March 2022, this proposed rule would require publicly traded companies to publicly disclose a cyber incident within four business days of determining that the incident is material and to provide disclosure in periodic reports about certain cybersecurity governance practices. The proposed rule has been subject to two comment periods; after the original comment period ended in May 2022, the SEC re-opened the comment period between October-November 2022. 
  • Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies: Proposed in February 2022, this proposed rule would require registered investment advisers and investment companies to adopt and implement “written cybersecurity policies and procedures reasonably designed to address cybersecurity risks.”  The rule would also require advisers to “report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients” to the SEC as well as to implement certain recordkeeping practices.  The proposed rule has also been subject to two comment periods; after the original comment period ended in April 2022, the SEC re-opened the comment period between March-May 2023.

The SEC is also considering multiple other rules that implicate cybersecurity considerations and are in various phases of comment and revision for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of David H. Engvall David H. Engvall

David Engvall advises public companies on a wide range of securities, capital markets, corporate governance, and related matters. In the capital markets area, he has handled a range of transactions, including registered and unregistered offerings of common and preferred stock, investment grade and…

David Engvall advises public companies on a wide range of securities, capital markets, corporate governance, and related matters. In the capital markets area, he has handled a range of transactions, including registered and unregistered offerings of common and preferred stock, investment grade and high yield debt securities, convertible securities, and trust units. He advises companies in a number of industries. David’s transactional experience also includes equity and debt tender offers, investments and M&A transactions.

David advises public company clients on a wide variety of disclosure, SEC compliance, transactional, and corporate governance matters. David is actively engaged in advising clients on a wide range of specific securities law topics, including executive compensation, beneficial ownership reporting, environmental, social and governance (“ESG”) reporting, and specialized disclosures such as those pertaining to conflict minerals. In the corporate governance area, he advises clients on topics such as Board committee charters, shareholder activism, management succession planning, and director independence.

Photo of Kerry Burke Kerry Burke

Kerry Shannon Burke has been helping public and private companies structure and execute capital markets and finance transactions and navigate the pitfalls of public company reporting and governance for over 25 years. Kerry regularly represents issuers, ranging from development stage ventures to large…

Kerry Shannon Burke has been helping public and private companies structure and execute capital markets and finance transactions and navigate the pitfalls of public company reporting and governance for over 25 years. Kerry regularly represents issuers, ranging from development stage ventures to large public companies, as well as underwriters and other institutional investors, with private and public debt and equity financings. She also has assisted public and private companies in structuring and negotiating financing transactions, including term loan and revolving credit facilities and acquisition financing.

Kerry is a “go-to” advisor for large public companies and their boards on corporate governance, SEC reporting, ESG, cybersecurity disclosure, succession planning and compliance program design. Kerry also assists private companies on governance and IPO readiness matters, including with respect to board and committee independence, internal and disclosure controls and similar matters.

Kerry has particular expertise counseling clients on the Investment Advisers Act and assists investment advisers, including private equity funds, hedge funds and venture capital funds, on various status questions and ongoing compliance matters.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and preparedness, government and internal investigations, and regulatory compliance. He also regularly advises clients with respect to risks stemming from U.S. criminal and civil anti-terrorism laws and other national security issues, to include investigating allegations of terrorism-financing and litigating Anti-Terrorism Act claims.

Shayan maintains an active pro bono litigation practice with a focus on human rights, freedom of information, and free media issues.

Prior to joining the firm, Shayan worked in the U.S. national security community.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.