what is the form that a public traded company must file with the security exchange commission in the event of a cybersecurity breach?
James
Guys, does anyone know the answer?
get what is the form that a public traded company must file with the security exchange commission in the event of a cybersecurity breach? from EN Bilgi.
SEC.gov
Exchange Act Reporting and Registration
Annual and Quarterly Reports
SEC rules require your company to file annual reports on Form 10-K and quarterly reports on Form 10-Q with the SEC on an ongoing basis. These reports require much of the same information about the company as is required in a registration statement for a public offering. Your company’s CEO and CFO must certify the financial and certain other information contained in annual reports on Form 10-K and quarterly reports on Form 10-Q. If your company qualifies as a “smaller reporting company” or an “emerging growth company,” it will be eligible to rely on scaled disclosure requirements for these reports.
Current Reports
Your company must also file current reports on Form 8-K to report certain specified events, often within four business days after occurrence of the event. Examples of the events that trigger the filing of a current report are:
entry into and termination of a material definitive agreement (a copy of the agreement must also be publicly filed);
completion of an acquisition or disposition of assets
notice of a delisting or failure to satisfy a continued listing rule or standard or transfer of listing
unregistered sales of equity securities
material modifications to rights of security holders
changes in your company's certifying accountant
changes in control of the company
election of directors, appointment of principal officers, and departure of directors and principal officers and
amendments to charter and bylaws
The company also will have to comply with certain rules whenever its management submits proposals to shareholders that will be subject to a shareholder vote, usually at a shareholders’ meeting, and certain of its shareholders and management become subject to other requirements.
All of this information must be filed electronically with the SEC through its EDGAR system, and will immediately become publicly available upon filing.
Exchange Act Registration
Even if your company does not have an effective registration statement for a public offering, it could still be required to file a registration statement and become a reporting company under Section 12 of the Exchange Act if:
it has more than $10 million in total assets and a class of equity securities, like common stock, that is held of record by either (1) 2,000 or more persons or (2) 500 or more persons who are not accredited investors or
it lists the securities on a U.S. exchange
For banks, bank holding companies and savings and loan holding companies, the threshold is 2,000 or more holders of record; the separate registration trigger for 500 or more non-accredited holders of record does not apply.
The information about the company required in an Exchange Act registration statement is similar to what is required in a registration statement for a public offering.
Exceptions to Exchange Act Registration
In calculating the number of holders of record for purposes of determining whether Exchange Act registration is required, your company may exclude persons who acquired their securities in an exempt offering:
under an employee compensation plan
under Regulation Crowdfunding if the issuer
is current in its ongoing annual reports required pursuant to Rule 202 of Regulation Crowdfunding
has total assets as of the end of its last fiscal year not in excess of $25 million and
has engaged the services of a transfer agent registered with the Commission pursuant to Section 17A of the Exchange Act or
as a Tier 2 offering under Regulation A if the issuer:
is required to file and is current in filing annual, semiannual and special financial reports under Securities Act Rule 257(b)
had a public float of less than $75 million as of the end of its last semiannual period, or if it cannot calculate its public float, had less than $50 million in annual revenue as of the end of its last fiscal year and
engaged a transfer agent registered pursuant to Section 17A of the Exchange Act
Public float is calculated by multiplying the number of the company’s common shares held by non-affiliates by the market price and, in the case of an IPO, adding to that number the product obtained by multiplying the common shares covered by the registration statement by their estimated public offering price.
Additional Information and Resources
Compliance Guide: Changes to Exchange Act Registration Requirements to Implement Title V and Title VI of the JOBS Act
Compliance Guide: Interactive Data for Financial Reporting
Press Release: SEC Adopts Amendments to Implement JOBS Act and FAST Act Changes for Exchange Act Registration Requirements
JOBS Act FAQs: Changes to the Requirements for Exchange Act Registration and Deregistration
Sarbanes-Oxley Section 404: A Guide for Small Business
SEC Proposes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies
Soon after proposing substantial cybersecurity requirements for investment advisers and registered investment companies, the SEC unveiled new cybersecurity disclosure rules for public companies.
MARCH 14, 2022
SEC Proposes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies
Holland & Knight Alert
Scott Mascianica | Shardul Desai | Ira N. Rosner
Highlights
Less than a month after the U.S. Securities and Exchange Commission (SEC) proposed substantial new cybersecurity requirements for investment advisers and registered investment companies, the commission unveiled a new slate of proposed cybersecurity disclosure rules for public companies.
If adopted, the proposed rules would require each public company to report material cybersecurity incidents within four business days after determining that it has experienced such incidents, provide periodic updates of previously reported cybersecurity incidents, describe its cybersecurity risk management policies and procedures, disclose its cybersecurity governance practices and disclose cybersecurity expertise on the board of directors.
The proposed rules seek to have public companies disclose cybersecurity incidents and their risk management, strategy and governance practices in a consistent and comparable manner.
Less than a month after the U.S. Securities and Exchange Commission (SEC) proposed substantial new cybersecurity requirements for investment advisers and registered investment companies, the commission unveiled a new slate of proposed cybersecurity disclosure rules for public companies. The proposed rules, if adopted, would require each public company to: 1) report material cybersecurity incidents within four business days after determining that it has experienced such incidents; 2) provide periodic updates of previously reported cybersecurity incidents; 3) describe its cybersecurity risk management policies and procedures; 4) disclose its cybersecurity governance practices; and 5) disclose cybersecurity expertise on the board of directors.1
SEC Chair Gary Gensler previewed the possibility of such proposed rules during his January 2022 speech at the Northwestern Pritzker School of Law's Annual Securities Regulation Institute. The proposed rules seek to have public companies disclose cybersecurity incidents and their risk management, strategy and governance practices in a consistent and comparable manner. The proposed rules, however, may create significant litigation and enforcement risks for public companies and could potentially expose them to greater cybersecurity risks in certain situations. Furthermore, the contemplated ongoing reporting obligations and proposal that companies consider incidents at third-party providers as part of their assessment would place significant burdens on public companies. Additionally, the proposed rules are the latest example of the SEC using its rulemaking and enforcement authority to dictate corporate governance and board composition at public companies.
This Holland & Knight alert provides a summary of the new proposed rules and offers some key takeaways.
Proposed Cybersecurity Requirements for Public Companies
A. Current Reporting about Material Cybersecurity Incidents
The SEC proposed to amend Form 8-K to require public companies to disclose, within four business days after the company determines that it has experienced a material "cybersecurity incident," certain information about the incident. Under the proposed Item 1.05 to Form 8-K, a "cyber incident" is defined as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The SEC stated that "cybersecurity incident" should be "should be construed broadly…" and may include an accidental exposure of data.
Although the SEC does not expect a public company to disclose technical information about its cybersecurity systems, potential vulnerabilities or response to a cybersecurity incident, disclosure of the following information for each material cybersecurity incident would be required:
when the incident was discovered and whether it is ongoing
a brief description of the nature and scope of the incident
whether any data was stolen, altered, accessed or used for any other unauthorized purpose
the effect of the incident on the company's operations
whether the company has remediated or is currently remediating the incident2
Notably, the triggering event for disclosure is not the date of the cybersecurity incident. Rather, disclosure would be within four days after the company "determines that a cybersecurity incident it has experienced is material."3 Notwithstanding allowing the exercise of discretion (which effectively codifies the longstanding concept of "ripeness" in determining materiality), the SEC expects public companies "to be diligent in making a materiality determination."4
Materiality is to be determined under longstanding precedent of whether there is a substantial likelihood that a reasonable shareholder would consider the information as important or as having significantly altered the total mix of information made available.5 The SEC acknowledged that this materiality analysis "is not a mechanical exercise" but rather would require the company to "thoroughly and objectively evaluate the total mix of information…"6
The SEC proposes to make the cybersecurity incident reporting on Form 8-K eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act for failure to timely file.7 Importantly, however, this limited safe harbor does not exempt companies from antifraud liability – or other liability under other provisions of the federal securities laws – for representations made in a Form 8-K concerning the cybersecurity incident.8
SEC disclosure rules: Public company reporting requirements explained
Learn how enterprise information security teams must support the public company reporting requirements necessary for compliance with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules.
TIP
SEC disclosure rules: Public company reporting requirements explained
SEC disclosure rules: Public company reporting requirements explained Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules.
Paul Kirvan
Given the ongoing concern among enterprises and the government about cyberattacks and what information should be disclosed following an information security incident, the Division of Corporate Finance of the Securities and Exchange Commission (SEC) in October 2011 issued , which addresses public company reporting requirements involving relevant information for cybersecurity risks and incidents. This tip will explain the new SEC disclosure guidance, to whom it applies, what disclosure information must be provided, and how to provide it to the SEC in a timely fashion.
The SEC cybersecurity disclosure requirements should serve as helpful leverage to convince the organization's technology and compliance leadership to make the investment.
Publicly traded companies registered with the SEC are required to provide reports to all potential investors that disclose information about security risks and associated events. Although specifically states there is no official reporting requirement associated with cybersecurity risks, it also states such disclosure of cybersecurity risk information is necessary if such risks have a potential material impact on reporting requirements. So for the purposes of this tip, let’s assume disclosure of cybersecurity threat, risk or event by organization registered with the SEC may be reviewed by SEC examiners.
Another key point is the SEC does not expect registrants to disclose information that might compromise their cybersecurity operations. Rather, the SEC prefers disclosure of cybersecurity information in such a way that investors will be able to understand and thereby appreciate the risks faced by the specific registrant, without the registrant disclosing security-related information, such as specific security products in use or configurations in place, that could be exploited by attackers. In other words, enterprises bound by this rule don't need to explain everything, but there must be an emphasis on plain-language documentation so non-technically savvy regulators and investors can make sense of it.
What do SEC cybersecurity disclosure rules address?Among the cybersecurity event details the SEC wants disclosed – in addition to summaries of specific events – are the following:Discuss which aspects of the registrant’s business/operations pose cybersecurity risks.
Discuss potential consequences and costs of a cybersecurity breach.
Discuss how the registrant identifies the functions that may be at risk of a cyberattack and how it addresses those risks.
Describe cybersecurity incidents that are deemed material to the registrant’s ability to function, the costs and consequences incurred from those events.
Describe the potential for cybersecurity risks to be undetected for an extended period.
Discuss use of insurance and other treatments to address cybersecurity risks.
Preparing for SEC cybersecurity disclosure reportSEC registrants must prepare and submit a number of reports to the SEC, such as Form 10-K, Form 10-Q and others. Each has a standard format and reporting structure. Report sections into which cybersecurity disclosure can be provided include the following:Management’s Discussion and Analysis (MD&A) of Financial Condition and Results of Operations – In this section, the organization describes cybersecurity events that can be shown to have had a material effect on the registrant’s operations, liquidity or financial condition. These can include, for example, theft of critical financial data and loss of intellectual property. Assuming there are material, operational and/or financial effects from such a loss, it must be described in the MD&A, including any consequences of the event, such as incident response, customer outreach, increased investment in cybersecurity protective measures, and expenditures or losses related to those activities.Description of Business – Registrants should disclose if a cybersecurity threat could materially impact any or all of its products and services, as well as new or planned products and services that could be at risk from a cybersecurity attack. Most organizations should be able to rely on their organizational risk assessment template and documentation to provide this information. If the enterprise hasn't conducted a thorough risk assessment yet, the SEC cybersecurity disclosure requirements should serve as helpful leverage to convince the organization's technology and compliance leadership to make the investment.Legal Proceedings – If a cybersecurity event results in litigation due to loss of critical customer information or financial data, the registrant must disclose the circumstances surrounding the litigation, including the litigants, the court where proceedings are pending, and the details of the lawsuit. Fostering collaboration between compliance, security and legal teams well in advance of a legal event is a good idea so all stakeholders will be ready to respond to this requirement if necessary.Financial Statement Disclosures – Registrants that capitalize the funding necessary to increase their cybersecurity protection must disclose this information in their financial statements. Cyber-based losses that result in lawsuits, breaches of contract, product recalls and other situations may affect the assumptions used in preparing financial statements, and should be stated in those assumptions.
Guys, does anyone know the answer?