SEC Adopts Final Rules on Cybersecurity Disclosures
The SEC has adopted rules requiring companies to provide disclosure within four business days of determining that a material cybersecurity incident has occurred, and discussion of cybersecurity risk management, strategy, and governance in annual reports. Companies will be required to disclose:
- processes for assessing, identifying, and managing material risks from cybersecurity threats;
- whether any risks from current or previous cybersecurity threats have materially affected or are reasonably likely to materially affect those companies; and
- the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
For most companies, the incident disclosure requirements take effect on December 18, 2023, with the annual report disclosures starting in 2024 for calendar-year filers. Companies are updating their cybersecurity policies and protocols to focus on disclosure controls and procedures in light of the rules and the SEC’s enforcement focus on cybersecurity matters.
Companies Adopt Protocols for Artificial Intelligence
Companies are considering the strategic impact of artificial intelligence (AI) technology and developing policies and protocols to govern employees’ AI use. Quarterly risk frameworks now include AI risk assessments and encompass disclosures about AI’s impact on cybersecurity risks, intellectual property risks, and potential limitations and costs due to AI regulation. SEC Chair Gary Gensler recently instructed the SEC Staff to consider rulemaking action on AI-related conflicts of interest and historical biases.
Federal Guidelines Prompt Review of Ephemeral Messaging
Ephemeral messaging applications automatically delete messages such as text, images, and video content. The US Department of Justice (DOJ) has issued prosecutorial guidance expecting companies to maintain the ability to preserve and access employees’ ephemeral messages and to control their use of personal devices for business. Companies are reviewing practices and policies in light of legal preservation and record-keeping requirements across different local and international jurisdictions.
Activism Preparation Gearing Up for 2024
Companies are devoting more time to preparing for activism and holistically assessing activist threats in light of company performance, board vulnerability, and shareholder engagement. The first proxy season subject to the SEC’s Universal Proxy Card (UPC) rules brought fewer activism campaigns than expected and more campaigns settled earlier. Companies are enhancing advance notice bylaws, disclosing the individual value of each director, and engaging with advisors in activism-preparedness planning.
EU Foreign Subsidies Regulation in Effect
European M&A has become more complex after the EU’s Foreign Subsidies Regulation (FSR) went into effect on October 12, 2023. The FSR grants the European Commission (EC) the power to intervene in mergers, acquisitions, and joint venture transactions in, or investing in, the EU that have received financial contributions from non-EU countries. Notifications to the EC for transactions that meet the applicable turnover or financial contribution thresholds are required, and the EC has the power to impose structural and behavioral remedies as well as block transactions. Companies are assessing the impact and preparing their business models for the application of the FSR.
Companies Adopt Clawback Policies
The stock exchange listing standards implementing the SEC’s clawback rules became effective October 2, 2023. Companies are adopting clawback policies prior to December 1, 2023, and thinking through practical considerations, compliance, and consequences as discussed on our recent webcast.