At Northwestern Law's 44th Annual Ray Garrett Jr. Corporate & Securities Law Institute, Erik Gerding, Director of the SEC's Division of Corporation Finance, discussed the Securities and Exchange Commission's final rules relating to cybersecurity risk management, strategy, governance, and incident disclosure (the "Final Rules"). The Final Rules require public companies to timely report material cybersecurity incidents and provide annual disclosures about their cybersecurity risk management processes. Specific details regarding the information required, along with the timing and method of disclosure, are summarized in our Legal Update.
In his remarks, Director Gerding acknowledged that the SEC staff is undertaking targeted selective reviews of public companies' disclosures under the Final Rules and provided some initial observations on such disclosures. In particular, he noted some companies' reliance on overly generic or boilerplate language in their cybersecurity disclosures. The SEC expects companies to provide detailed, company-specific information that helps investors understand the actual risks and incidents being reported. This approach supports the SEC's broader goal of promoting meaningful disclosures that investors can rely on to make informed decisions.
Director Gerding also emphasized that the Final Rules are not aimed at changing corporate behavior or prescribing particular cybersecurity defenses, risk management practices, or governance. Rather, they are focused on improving the quality of the information companies provide, ensuring that investors receive accurate, comparable, and comprehensive disclosures about cybersecurity.
Director Gerding recapped some of the recent guidance issued by the Division of Corporation Finance with respect to compliance with the Final Rules, including the May 2024 statement on reporting cybersecurity incidents that a company either has not yet determined to be material or has determined was not material. The SEC staff had concerns that some of the early Form 8-K filings under Item 1.05 of the new rules used ambiguous disclosure language that potentially could leave investors uncertain as to whether a company had determined the materiality of a cybersecurity incident. The staff guidance was intended to address this concern, and recommends that voluntary filings on incidents not (or not yet) deemed material should be disclosed under Item 8.01, rather than Item 1.05. This distinction is important because it helps allow investors to distinguish between material and non-material incidents and factor that information in to their investment and voting decisions.
In his discussion of the staff's guidance on the Final Rules, Director Gerding also reiterated that companies assessing the materiality of a cybersecurity incident should go beyond considering only quantitative factors and the impact on financial condition and results of operations. Rather, companies must consider factors such as reputational harm, the impact on customer relationships, and litigation or regulatory risk when determining whether an event is material. By focusing on these broader aspects of materiality, companies can provide disclosures that offer a more complete picture of their risks and vulnerabilities.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.