PUBLISHED ON: June 15, 2022
In March, the SEC released its proposed new rules for cyber reporting under Form 8-K. Specifically, the SEC seeks to require an organization to report “material” cybersecurity incidents within four business days after it determines that such an incident occurred.
Other changes would seek enhancements to annual disclosures in the form of 10-Q and 10-K updates to 8-K disclosures, including an organization’s changes in cyber resilience and policies resulting from a reported incident. The SEC rules would also require enhanced disclosures concerning cyberrisk assessment programs; information concerning the retention of consultants, auditors and third party vetting; risk management efforts both on the front end and in the wake of a breach; the development of plans to ensure business continuity and recovery after an incident; self-evaluation from prior incidents and corresponding changes to computing procedures; and a “wide-angle” risk assessment addressing cyber perils.
While it remains to be seen what the final rules will look like, the proposal has raised some concerns. Perhaps the most vexing is the four-day reporting period following a determination of materiality, given the realities and uncertainties that linger for the first phases of forensic review after an incident. Another noteworthy aspect of the proposed rules is the requirement of highly specific disclosures regarding designated officers overseeing a company’s cybersecurity policies and procedures. While disclosure can be necessary to ensure accountability, this information could also be used by hackers to gain an advantage in their system intrusion efforts.
To read the full article, please click here.
Joshua Gold is a shareholder in Anderson Kill’s New York office, chair of Anderson Kill’s cyber insurance recovery group and co-chair of the firm’s marine cargo industry group. He is co-author with Daniel J. Healy of Cyber Insurance Claims, Case Law, and Risk Management, forthcoming from the Practicing Law Institute.