TheCorporateCounsel.net

This week, the SEC posted a Sunshine Act Notice for an open meeting of the Commissioners to be held next Wednesday, July 26th. On the agenda is the highly-anticipated rulemaking on cybersecurity risk management, strategy, governance, and incident disclosure. Back in March of last year, John blogged about the proposed rules, which, among other things, proposed to amend Form 8-K to require a registrant to disclose certain information within four business days after it determines that it has experienced a material cybersecurity incident.

I won’t try to speculate about how the final rules may differ from the proposed form. This seems like a particularly challenging topic to tackle — with the understandably heightened sensitivity involving companies who are themselves victims in a cybersecurity incident — and trying to thread the needle to address improved disclosure for investor protection. While this proposal may not have received as many comments as the seemingly record-breaking climate proposal, commenters — and Commissioner Peirce — voiced several concerns about certain aspects of the cybersecurity proposal that I’m sure the Corp Fin Staff has been spending this time carefully considering.

– Meredith Ervine