On July 26, 2023, the SEC adopted final new rules requiring disclosures for both domestic and foreign companies related to cybersecurity incidents, risk management, strategy and governance. The proposed rules were published in March 2022 (see HERE). In response to numerous comments, the final rules made several changes to the proposal, including narrowing the disclosures in both the Form 8-K/6-K and annual reports on Form 10-K and 20-F.
The final rules add new Item 1.05 to Form 8-K requiring disclosure of a material cybersecurity incident including the incident’s nature, scope, timing, and material impact or reasonably likely impact on the company. An Item 1.05 Form 8-K will be due within four business days following determination that a cybersecurity incident is material. Given the sensitive nature of cybersecurity crimes, the SEC has added a provision allowing an 8-K to be delayed if it is informed by the United States Attorney General, in writing, that immediate disclosure would pose a substantial
Earlier this year, the SEC published proposed rules on cybersecurity risk management, strategy, governance and incident disclosure by public companies. Although the comment period has passed, a final rule has not yet been issued. As of now, cybersecurity disclosures are encompassed within the general anti-fraud provisions including the requirement to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading” as well SEC guidance last updated in 2018 (see HERE).
The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks; the company’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal would further
In February, the Office of Management and Budget released the proposed fiscal 2021 United States government budget. The beginning of the Budget contains a message from President Trump delineating a list of key priorities of the administration including better trade deals, preserving peace through strength, overcoming the opioid crisis, regulation relief and American energy independence. The budget has some notable aspects that directly relate to the capital markets and its participants.
As the federal government has been doing for all agencies, the 2021 Budget seeks to eliminate agency reserve funds. Specifically regarding the SEC, the Budget cuts the SEC reserve by $50 million. The reduction in reserve fund is thought to increase overall accountability as the SEC would need to go to Congress to ask for additional funds if needed, with an explanation, instead of just accessing a reserve account. Reserve fund cuts are sent to the U.S. Treasury for deficit reduction.
However, the Budget also increases the
As my firm does not practice in the enforcement arena, it is not an area I always write about, but this year I found a few trends that are interesting. In particular, just by following published enforcement matters on the SEC’s website, I’ve noticed a large uptick in actions to suspend the trading in, or otherwise take action against, micro- and small-cap companies, especially delinquent filers. I’ve also noticed a large uptick of actions against smaller public and private companies that use misleading means to raise capital from retail investors, and the concurrent use of unlicensed broker-dealers. Of course, there have always been a significant number of actions involving cryptocurrencies. In light of my own observations, I decided to review and report on the SEC’s view of its actions.
As an aside, before discussing the report, I note that the Government Accountability Office (GAO) has raised concerns about the quality of record keeping and documentation maintained by the
On June 19, 2018, the SEC published a draft Strategic Plan and requested public comment on the Plan. The Strategic Plan would guide the SEC’s priorities through fiscal year 2022. The Plan reiterates the theme of serving the interests of Main Street investors, but also recognizes the changing technological world with a priority of becoming more innovative, responsive and resilient to market developments and trends. The Plan also broadly focuses on improving SEC staff’s performance using data and analytics.
The Strategic Plan begins with a broad overview about the SEC itself, a topic I go back to and reiterate on occasion, such as HERE. The SEC’s mission has remained unchanged over the years, including to protect investors, maintain fair, orderly and efficient markets, and facilitate capital formation. In addition, according to the Strategic Plan, the SEC:
- Engages and interacts with the investing public directly on a daily basis through a variety of channels, including investor roundtables and education
On June 14, 2018, William Hinman, the Director of the SEC Division of Corporation Finance, gave a speech at Yahoo Finance’s All Markets Summit in which he made two huge revelations for the crypto marketplace. The first is that he believes a cryptocurrency issued in a securities offering could later be purchased and sold in transactions not subject to the securities laws. The second is that Ether and Bitcoin are not currently securities. Also, for the first time, Hinman gives the marketplace guidance on how to structure a token or coin such that it might not be a security.
While this gives the marketplace much-needed guidance on the topic, a speech by an executive with the SEC has no legal force. As a result, the blogs and press responding to Mr. Hinman’s speech have been mixed. Personally, I think it is a significant advancement in the regulatory uncertainty surrounding the crypto space and a signal that more constructive guidance
On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.
The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.
The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial
On February 6, 2018, the United States Senate Committee on Banking Housing and Urban Affairs (“Banking Committee”) held a hearing on “Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.” Both SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo testified and provided written testimony. The marketplace as a whole had a positive reaction to the testimony, with Bitcoin prices immediately jumping up by over $1600. This blog reviews the testimony and provides my usual commentary.
The SEC and CFTC Share Joint Regulatory Oversight
The Banking Committee hearing follows SEC and CFTC joint statements on January 19, 2018 and a joint op-ed piece in the Wall Street Journal published on January 25, 2018 (see HERE). As with other areas in capital markets, such as swaps, the SEC and CFTC have joint regulatory oversight over cryptocurrencies. Where the SEC regulates securities and securities markets, the CFTC
On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).
The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.
This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hacking and the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR
In a much talked about speech to the Economic Club of New York on July 12, 2017, SEC Chairman Jay Clayton set forth his thoughts on SEC policy, including a list of guiding principles for his tenure. Chair Clayton’s underlying theme is the furtherance of opportunities and protection of Main Street investors, a welcome viewpoint from the securities markets’ top regulator. This was Chair Clayton’s first public speech in his new role and follows Commissioner Michael Piwowar’s recent remarks to the SEC-NYU Dialogue on Securities Market Regulation largely related to the U.S. IPO market. For a summary of Commissioner Piwowar’s speech, read HERE.
Chair Clayton outlined a list of eight guiding principles for the SEC.
#1: The SEC’s Mission is its touchstone
As described by Chair Clayton, the SEC has a three part mission: (i) to protect investors; (ii) to maintain fair, orderly and efficient markets, and (iii) to facilitate capital formation. Chair Clayton stresses that it