On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for

David S. Wolpa
David concentrates his practice on securities, mergers and acquisitions and general corporate matters, representing clients in a wide variety of industries. His experience includes representing public and private companies in offerings of securities and mergers and acquisitions transactions.
SEC Proposes New, Formal Cybersecurity Disclosure Rules
On March 9, the U.S. Securities and Exchange Commission proposed new rules that would fundamentally change how public companies treat the reporting and management of cybersecurity incidents and risk.
Read on for details about these proposed rules, which build significantly upon prior guidance by creating express, mandatory disclosure obligations.
SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement
On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds. In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.
Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures.
Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement
Between a Rock and a Hard Place: SEC Disclosure Analysis in Light of Yahoo
On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.
This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their…