By John J. Gilluly III, Brent L. Bernell, Louann Fang Richard, Deborah R. Meshulam, Andrew Serwin & Ron Plesco
Cybersecurity risk governance and disclosure has been the subject of a number of recent cyber-focused proposals. As Congress considers imposing broad federal cyber incident notification requirements, the Securities and Exchange Commission (SEC), on March 9, 2022, voted 3-1 to issue proposed new rules that would require publicly traded companies to disclose “cybersecurity incidents” (defined below) in current reports on Form 8-K or Form 6-K for foreign private issuers within four business days of determining that an incident is material and, thereafter, correct prior disclosures when new or additional material information becomes available.