Photo of Nusra Ismail

Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General).  As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public.  Why does that matter?  Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).Continue Reading Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure

Lock on Computer

Public companies may soon have another regulation to worry about when it comes to their cybersecurity regime.  Last week, citing the increase in cybersecurity incidents and the need for investors to be informed about cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures