Kayla E. Klos

Kayla E. Klos



Siddharth Bahl

Siddharth Bahl



Yesterday, the Securities and Exchange Commission (the “SEC”) proposed rules seeking to provide a more consistent approach to public company disclosures regarding cybersecurity risk management, strategy and governance, and notifications of material cybersecurity incidents. The proposed rules would require disclosure of a company’s cybersecurity policies and procedures, board of directors’ expertise and oversight of cybersecurity risk, and updates on previously disclosed, material cybersecurity incidents. As proposed, public companies also would be required to report material cybersecurity incidents in a current report on Form 8-K within four business days of the incident. Under current SEC rules, there is no explicit time requirement to disclose cybersecurity incidents, although other SEC guidance has urged public companies to assess the materiality of breaches in determining whether, and to what extent, disclosure is necessary. The SEC expects the proposed rules will result in more consistent and useful disclosures that will better allow investors to evaluate a public company’s exposure to cybersecurity risks and incidents, as well as their ability to manage and mitigate those risks and incidents.

The proposed rule is summarized in the SEC’s Fact Sheet. The public comment period will be open for 60 days following publication of the proposed rules on the SEC’s website or 30 days following publication of the proposed rules in the Federal Register, whichever period is longer.

We will monitor this proposal and provide updates as appropriate. In the interim, if you have any questions about this proposal, please contact a member of Harter Secrest & Emery’s Securities and Capital Markets group at 585.232.6500 or 716.853.1616.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2022 Harter Secrest & Emery LLP


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.