Our thinking

Cybersecurity: Legal implications and risk management

What's inside

In an increasingly interconnected world, cyber risk is firmly at the top of the boardroom agenda, and having an effective data breach response programme is no longer optional.

Cybersecurity crisis management

The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.

The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise. 

Key issues

Why?

  • Reputation
  • Fines
  • Breach of contract
  • M&A due diligence
  • Insurance
  • Proprietary information
  • Litigation
  • Criminal offences
  • Negligence

Be prepared

Risk Assessment

  • Key Information
  • Assets
  • Key Systems
  • Threat Analysis
  • Security Measures

Toolkit

  • Scripts
  • Internal and 
    External
  • Communications
  • Employee contacts
  • Response Plan
  • Live Training
  • Business Continuity Plan

Key considerations

Customer/individual rights

  • Requests for data
  • Data Protection Authority Complaints
  • Group litigation orders
  • Resolution mechanisms

B2B relationships

  • Contractual obligations
  • Contractual liability
  • Tort

Reputation management

  • Media strategy
  • Customer interaction
  • Employee engagement

Commercial

  • Proprietary
  • Information/Trade Secrets
  • System Disruption

Regulatory issues

  • Data Protection Authority
  • Financial Regulators
  • Market authorities
  • Other regulators

Privacy & data protection

  • Jurisdictions involved
  • Reporting obligations
    • individuals
    • authorities

Evidence

  • Law Enforcement Involvement
  • Legal Privilege
  • Preservation of Evidence

Response

Crisis Team

  • Legal (internal and external)
  • IT/IT Forensics
  • PR
  • Regulatory
  • DPO
  • Executive committee
  • HR
  • Vendor manager

Key Actions

  • Work with forensic investigators to:
    • Identify and contain breach
    • Gather/preserve evidence
    • Maximise legal privilege coverage
  • Contact crisis team
  • Bring in external partners
  • Identify key risks and priorities based on nature of breach
  • Assess notification requirements
  • Communications
  • Regulatory notifications

 

Articles

2024

NYDFS Releases Artificial Intelligence Cybersecurity Guidance For Covered Entities

On October 16, 2024, the New York State Department of Financial Services (the "DFS"), under its Cybersecurity Regulation—23 NYCRR Part 500—issued a memorandum providing guidance on the risks posed by artificial intelligence ("Guidance Memo").

SEC Will Prioritize AI, Cybersecurity, and Crypto in its 2025 Examination Priorities

On October 21, 2024, the US Securities and Exchange Commission ("SEC") Division of Examinations ("Examination Division") announced its 2025 Examination Priorities ("Report"). Investment advisers and broker-dealers should ensure that policies, procedures and surveillance efforts related to these priorities address concerns outlined in the Report.

SEC Enforcement Heats up on Key Public Company Topics: Cyber Disclosure, Director Independence and Regulation FD

The U.S. Securities and Exchange Commission's ("SEC") Division of Enforcement has recently brought a spate of enforcement actions relating to key topics for public companies. These include enforcement actions related to cybersecurity incident disclosure, director independence and Regulation Fair Disclosure ("Reg FD") violations, which are described below, and actions based on Section 13 and 16 beneficial ownership filings, as discussed in our prior alert.

Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement

On July 18, 2024, a New York federal judge dismissed most of the US Securities and Exchange Commission's ("SEC") claims against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO"), Timothy G. Brown, in connection with the Company's cybersecurity practice.

NIS 2 Directive: Navigating the challenges of implementation, impact, and scope

The NIS 2 directive establishes a regulatory framework aimed at improving the level of cybersecurity across the EU.

SEC’s Corp Fin Director Issues Statement on Cybersecurity Incident Disclosures

On May 21, 2024, the SEC's Director of the Division of Corporation Finance issued a statement on cybersecurity incident disclosures in light of the SEC's new cybersecurity disclosure rules. Our summary of this statement and key take-aways from White & Case's survey of cybersecurity disclosures is below.

2023

The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies

On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack.

SEC Adopts Mandatory Cybersecurity Disclosure Rules

On July 26, 2023, the Securities and Exchange Commission ("SEC"), in a 3-2 vote, adopted rules that will require public companies to make prescribed cybersecurity disclosures.

Shaping the future of digital and cybersecurity governance

In this brief three-minute video, London-based partner Lawson Caisley, Chair of White & Case's Global Cyber Risk Committee, shares his insights on governing cyber risk at the corporate level and some of the challenges of cyber risk management in the boardroom. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

cybersecurity_square_800x800_4

Prioritizing cybersecurity at the corporate level

In this short three-minute video, Washington, DC–based partner F. Paul Pittman discusses the implications of the proposed new SEC rules on cybersecurity governance and what corporate boards can do now. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

digital mesh

Cybersecurity Developments and Legal Issues

The potential for cybersecurity threats and attacks looms large and the technology companies developing new products and services play a constant game of cat-and-mouse with hackers and cybercriminals for control of cyberspace. Here are six points to consider when analyzing cybersecurity risks and protections.

client alert image

Directors face personal liability over cybersecurity failures

In an article for The Times, White & Case partner Lawson Caisley discusses why it could become increasingly common for UK directors to "face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach".

wafer circuit detail

2022

Director liability for cyber breaches: transatlantic warning signs?

Two legal cases in the US in the past month suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cyber security breaches.  

arrow

SEC Proposes Mandatory Cybersecurity Disclosure Rules

On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.

2021

Legal 500's In-House Lawyer Magazine Autumn - Commercial Litigation Focus (Germany)

In The Legal 500's newly released In-House Lawyer Magazine a group of White & Case lawyers has contributed a legal briefing on trends in German commercial litigation.

magazine pile

AAA plc & ors v Persons Unknown: Cyber Activism or Blackmail?

In recent years, demands for payments in cryptocurrencies have become the ransom of choice for cyber extortionists and other online frauds. As a result, the English Court's powers are increasingly being called upon.

orange background

Time to Revisit Risk Factors in Periodic Reports

Ninth Circuit Decision Highlights Importance of Updating Risk Factors to Address Material Developments, including those relating to Cybersecurity Risks.

Alert 800x800

Cybersecurity Enforcement: New York Department of Financial Services issues first penalty under Cybersecurity Regulation

Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.

Compensating non-material damages based on Article 82 GDPR

Is a data subject entitled to compensation from a controller or processor if the data subject's GDPR rights have been infringed, even if they have not suffered any kind of material damage? 

Corporate Boards Must Ask Key Cybersecurity Questions

Cybersecurity has been a mainstay of quarterly board agendas for years.

2020

Cybersecurity Risk: Top 5 strategies to build resilience

The fourth webinar in our 2020 Autumn Webinar Series covered crucial steps you should be taking to protect against cybersecurity threats and what you should do when disaster strikes.

Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law

Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers.

stack of paper

US Cybersecurity Standards to Get Tougher and More Specific

In the past few years, cybersecurity has taken on increasing importance in the eyes of lawmakers and regulators.

Data Sharing Without Borders

UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.

Alert 800x800

Responding to a cyber-incident

The COVID-19 crisis has exposed many companies to more cyber threats. Tim Hickman and John Timmons discuss what businesses need to do should a major incident occur.

Trending: Legal protection for cryptoasset stakeholders

Recent decisions in Singapore and New Zealand confirm that the courts are prepared to act to provide greater certainty and support to stakeholders in cryptoassets.

Recovering the ransom: High Court confirms Bitcoin status as property

The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.

2019

Navigating Privacy and Cyber Incident Notification and Disclosure Requirements

Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.

Proposal on the Application of the NIS Regulations post-Brexit

This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.

Contacts

SEC Proposes Mandatory Cybersecurity Disclosure Rules

Alert
|
14 min read

On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.1 The proposed rules would "strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting"2 by requiring:

(i). mandatory, material cybersecurity incident reporting, including updates about previously reported incidents; and

(ii). mandatory, ongoing disclosures on companies' governance, risk management, and strategy with respect to cybersecurity risks, including board cybersecurity expertise and board oversight of cybersecurity risks.

The proposed rules, if adopted, would codify and further expand on the SEC's previously issued interpretive guidance from 20113 and 2018,4 in which the SEC provided its views on how existing disclosure obligations would apply to cybersecurity risks and incidents, and how cybersecurity is a key element of enterprise risk management. The proposed rules also reflect the SEC's move toward a more prescriptive rule-making approach and away from the prior administration's principles-based approach. The public comment period for the proposed rules will remain open for 30 days following publication of the proposing release in the Federal Register or until May 9, 2022, whichever period is longer.

In explaining its approach to the proposed rules, the proposing release highlighted that current disclosures on cybersecurity risks and incidents remain "inconsistent, may not be timely, and can be difficult to locate." Given the increasing prevalence of cybersecurity incidents and attacks, as well as the significant impact such an attack may have on a company, the SEC believes "[c]onsistent, comparable, and decision-useful disclosures" would allow investors to better evaluate companies' "exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents."

The proposed rules evidence the SEC's continued focus on cybersecurity risk after several high-profile incidents and increasing cybersecurity attacks. In 2021, for example, the SEC charged at least two issuers with cybersecurity-related violations, demonstrating the shift to a more aggressive enforcement posture.5 6

 

Cybersecurity Incident Disclosure

The proposed rules would:

Add Material Cybersecurity Incidents as a Form 8-K Event. Proposed new Item 1.05 of Form 8-K would require companies to disclose information about a material cybersecurity incident within four (4) business days after the company determines that it has experienced a material cybersecurity incident.7 The proposed rule expands on the SEC's 2018 guidance, which, among other things, recommended issuers disclose cybersecurity incidents and risks that would be material to its investors prior to the offer and sale of securities.8 The Form 8-K would be required to include the following information, to the extent such information is known at the time of the filing:

  • when the incident was discovered and whether it is ongoing;
  • a brief description of the nature and scope of the incident;
  • whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • the effect of the incident on the company's operations; and
  • whether the company has remediated or is currently remediating the incident.

The trigger for an Item 1.05 Form 8-K would be the date on which a company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident, in order to focus the disclosure on incidents that are material to investors, and would not provide for a reporting delay for when there is an ongoing internal or external investigation related to a material cybersecurity incident.9 Consistent with the SEC's approach to certain other Form 8-K disclosure items requiring a company to make a rapid evaluation of materiality, failure to timely report under new Item 1.05 (i) would not impact Form S-3 eligibility and (ii) would be subject to the limited safe harbor from certain public and private claims under Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), which already applies to certain Form 8-K disclosure items.10

Similar to the 2018 Guidance, the proposing release clarifies that a company would not be required to publicly disclose "specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede [its] response or remediation of the incident."

Require Updates on Disclosed Cybersecurity Incidents. New Item 106(d)(1) of Regulation S-K would require companies to disclose any material changes, additions or updates to the information reportable under new Item 1.05 of Form 8-K in their quarterly report on Form 10-Q or annual report on Form 10-K, as applicable, for the period in which the material change, addition, or update occurred.11

Require Companies to Consider Whether Immaterial Incidents are Material in the Aggregate. Proposed Item 106(d)(2) of Regulation S-K would require companies to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate. Companies would be required to provide the same disclosure as in proposed new Item 1.05 of Form 8-K.

 

Risk Management, Strategy, and Governance Disclosure

The proposed rules would require enhanced and standardized disclosure on companies' cybersecurity risk management, strategy and governance. Specifically, the proposed rules would require disclosure of:

Cybersecurity Risk Management and Strategy. Proposed new Item 106(b) of Regulation S-K would require a company to disclose in its Form 10-K, as applicable, whether:

  • it has a cybersecurity risk assessment program and if so, provide a description of such program;
  • it engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;
  • it has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the company's customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  • it undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents;
  • it has business continuity, contingency and recovery plans in the event of a cybersecurity incident;
  • previous cybersecurity incidents have informed changes in its governance, policies and procedures, or technologies;
  • cybersecurity-related risks and incidents have affected or are reasonably likely to affect its results of operations or financial condition and if so, how; and
  • cybersecurity risks are considered as part of its business strategy, financial planning, and capital allocation and if so, how.

Cybersecurity Governance. Proposed new Item 106(c) of Regulation S-K would require disclosure in a company's Form 10-K of its cybersecurity governance, including the board's oversight of cybersecurity risks12 and a description of management's role in assessing and managing cybersecurity-related risks and in implementing the company's cybersecurity policies, procedures and strategies.13

Board Cybersecurity Expertise. Proposed new paragraph (j) of Item 407 of Regulation S-K would require disclosure in annual reports, annual meeting proxy statements and information statements on Schedule 14C if any member of the company's board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.

Proposed Item 407(j) does not define what constitutes "cybersecurity expertise." However, it does include a non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity.

In order to alleviate liability concerns for board nominees who would qualify as cybersecurity experts, proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 liability, as a result of being designated or identified as a director with expertise in cybersecurity matters pursuant to proposed Item 407(j).

 

Inline XBRL Tagging

The proposed amendment would require companies to tag the information specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual, to allow investors and other market participants "to more efficiently perform large-scale analysis and comparison of this information across [companies] and time periods."

 

Application to Foreign Private Issuers

Periodic Disclosure. The proposed rules would amend Form 20-F to add Item 16J, which would require a foreign private issuer ("FPI") to include in its annual report on Form 20-F the same type of disclosure in proposed Items 106 and 407(j) of Regulation S-K. However, as FPIs are not subject to SEC rules for proxy or information statement filings, they would only be required to include this disclosure in their annual reports.

Incident Disclosure. The proposed rules would:

  • Amend Form 6-K General Instruction B to add "cybersecurity incidents" as a potential reporting event. Further, where an FPI has previously reported an incident on Form 6-K, the proposed amendments would require an update in the company's Form 20-F regarding such incidents, consistent with proposed Item 106(d)(1) of Regulation S-K.
  • Amend Form 20-F to require FPIs to disclose on an annual basis information regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period, including a series of previously undisclosed individually immaterial cybersecurity incidents that has become material in the aggregate.

 

Practical Considerations

The proposed rules emphasize the SEC's focus on the area of cybersecurity and companies should look to strengthen their disclosure controls and procedures around cybersecurity incidents consistent with the SEC's 2011 and 201814 guidance and apparent focus in this area evidenced by its recent enforcement actions. 

Public companies should evaluate whether to disclose material cybersecurity incidents in real time under Item 8.01 of Form 8-K, as well as continue to consider their obligation to disclose and provide updates on cyber risks and incidents in annual and/or quarterly reports as they relate to their risk factors, MD&A, description of business, legal proceedings and financial statement disclosures, especially if identified cyber risks have materialized.15 Companies should also ensure that cybersecurity is within the risk management framework of the board, audit committee or another board committee. In addition, companies should consider cybersecurity expertise at the board level, including whether a particular committee should have oversight over this area. Finally, in light of the potential need to disclose detailed information about cyber-related risks in the future, companies should continue to build out their cybersecurity programs to be robust and allow for rapid investigation and remediation of material breaches, as well as a clear reporting framework to enable the timely flow of information and through the proper reporting channels.

It is likely that both the SEC and Congress could propose more regulation in the cybersecurity space. For example, on March 9, 2022 and March 10, 2022, respectively, the US House of Representatives and the US Senate passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require owners of critical infrastructure to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency within seventy-two hours of reasonably believing that an incident has occurred.16 Owners of critical infrastructure will also be required to report ransom payments within twenty-four hours of after making such a payment.17 Companies should carefully monitor this space as it develops.

 

The proposed rules are available here.
2 See SEC Chair Gary Gensler's "Statement on Proposal for Mandatory Cybersecurity Disclosures."
3 See CF Disclosure Guidance: Topic No. 2- Cybersecurity (Oct. 13, 2011).
4 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166], and our prior alert, "SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures: Greater Engagement Required of Officers and Directors."
5 These actions come on the heels of several high-profile hacks, including the Kaseya ransomware attacks and vulnerabilities arising from the hack of SolarWinds, both of which affected businesses across the globe. The Biden Administration and Congress have also focused on cybersecurity of late, especially as to critical infrastructure. In July of last year, the President signed a national security memorandum establishing the President's Industrial Control System Cybersecurity Initiative, a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021), available here.
6 See SEC Charges Issuer With Cybersecurity Disclosure Controls Failures, Press Release, (June 15, 2021); In re First American Financial Corporation, Order Instituting Cease-and-Desist Proceedings, Release No. 92176 (June 14, 2021) (charging a company with violating the disclosure controls and procedures provision, Rule 13a-15(a) of the Securities Exchange Act of 1934 ("Exchange Act"), for failing to ensure all available and relevant information concerning a cybersecurity vulnerability was considered for disclosure in the company's SEC filings); SEC Charges Pearson plc for Misleading Investors About Cyber Breach, Press Release, (Aug. 16, 2021); In the Matter of Pearson plc, Order Instituting Cease-and-Desist Proceedings, Release No. 92676 0 (Aug. 16, 2021) (charging a company with violating Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act, and the disclosure controls and procedures provision, Rule 13a-15(a) of the Exchange Act, for making misleading statements concerning a data breach and failing to ensure all available and relevant information was considered for its disclosure in the company's SEC filings).
7 Form 6-K General Instruction B would be similarly amended to add "cybersecurity incidents" as a potential reporting event.
8 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures at 11, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166].
9 The proposing release includes a non-exclusive list of examples of cybersecurity incidents that may, if determined by the company to be material, trigger the proposed Item 1.05 disclosure requirement: "An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant's security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data; [a]n unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems; [a]n incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant; [a]n incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or [a]n incident in which a malicious actor has demanded payment to restore company data that was stolen or altered."
10 This limited safe harbor applies only to a failure to timely file a current report on Form 8-K—not to any other anti-fraud violation or failure to maintain disclosure and controls under the Exchange Act—and extends until the due date of the company's next quarterly report on Form 10-Q or annual report on Form 10-K, whichever comes first.
11 Proposed Item 106(d)(1) provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable: "Any material impact of the incident on the registrant's operations and financial condition; [a]ny potential material future impacts on the registrant's operations and financial condition; [w]hether the registrant has remediated or is currently remediating the incident; and [a]ny changes in the registrant's policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes."
12 Specifically, as it pertains to the board's oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following: "Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; [t]he processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and [w]hether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight."
13 Specifically, Item 106(c)(2) would require disclosure including, but not limited to,: "Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members; [w]hether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant's organizational chart, and the relevant expertise of any such persons; [t]he processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and [w]hether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk."
14 See footnotes 3 and 4. 
15 See Alphabet Secs. Litig., R.I., v. Alphabet, Inc., 1 F.4th 687 (9th Cir. 2021); cert. denied sub nom., 2022 US LEXIS 1338 (US March 7, 2022) (No. 21-594) (finding plaintiff shareholders adequately alleged misstatements because the company's Form 10-Q stated there were "no material changes" to its cybersecurity risk factor disclosure when the company was aware of a cybersecurity vulnerability). See our prior alert, "Time to Revisit Risk Factors in Periodic Reports."
16 Consolidated Appropriations Act of 2022, H.R. 2471, 117th Cong., Div. Y § 103 (2022).
17 Id.

 

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2022 White & Case LLP

Top