Tag Archives: Benjamin R. Pedersen

SEC Releases New Guidance on Material Cybersecurity Incident Disclosure

by Eric T. JuergensErez LiebermannBenjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob

Photos of authors.

Top left to right: Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom left to right: Anna Moody, Kelly Donoghue, and John Jacob. (Photos courtesy of Debevoise & Plimpton LLP)

On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs.  While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.

Continue reading

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading

Supreme Court Holds That “Pure Omissions” Are Not Actionable Under Rule 10b-5(b)

by Elliot Greenfield, Matthew E. Kaplan, Maeve O’ConnorBenjamin R. PedersenJonathan R. TuttleAnna MoodyBrandon Fetzer, and Mark D. Flinn

Top left to right: Elliot Greenfield, Matthew E. Kaplan, Maeve O’Connor, and Benjamin R. Pedersen.
Bottom left to right: Jonathan R. Tuttle, Anna Moody, Brandon Fetzer, and Mark D. Flinn. (Photos courtesy of Debevoise & Plimpton LLP).

On April 12, 2024, in a highly anticipated decision, the Supreme Court held in Macquarie Infrastructure Corp. v. Moab Partners, L.P.[1] that pure omissions are not actionable in private litigation under Rule 10b-5(b). Resolving a circuit split, the Court held that Rule 10b-5(b) does not support a “pure omissions” theory based on an alleged failure to disclose material information required by Item 303 of SEC Regulation S-K (Management’s discussion and analysis of financial condition and results of operations, or MD&A). Instead, a “failure to disclose information required by [MD&A] can support a Rule 10b-5(b) claim only if the omission renders affirmative statements made misleading.”[2] While the decision arose in the context of Item 303, which requires disclosure of “known trends and uncertainties” that have had or are “reasonably likely” to have a material impact on net sales, revenues or income from continuing operations,[3] the decision stands for the broader principle that Rule 10b-5(b) does not support pure omissions theories based on alleged violation of any disclosure requirement. Such claims remain viable, however, under Section 11 of the Securities Act of 1933. This ruling provides welcome clarity to issuers and eliminates the risk of pure-omission claims under Rule 10b-5(b) based on the judgment-based requirements of MD&A.

Continue reading

100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned

by Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Matt Kelly, Anna Moody, John Jacob, and Kelly Donoghue

Photos of authors

Top (left to right): Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel
Bottom (left to right): Matt Kelly, Anna Moody, John Jacob, and Kelly Donoghue (photos of courtesy of Debevoise & Plimpton LLP)

On December 18, 2023, the Securities and Exchange Commission’s (the “SEC”) rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K (“Item 1.05”).[1]

After the first 100 days of mandatory cybersecurity incident reporting, we examine the early results of the SEC’s new disclosure requirement.

Continue reading

SEC Issues Long-Awaited Climate-Related Disclosure Rule

by Eric T. Juergens, Benjamin R. Pedersen, Paul M. Rodel, Kristin A. Snyder, Caroline N. Swett, Ulysses Smith, Michael Keene, Mie Morikubo, Michael Pan, Amy Pereira, and Maayan G. Stein

photos of authors

Top left to right: Eric T. Juergens, Benjamin R. Pedersen, Paul M. Rodel, Kristin A. Snyder, Caroline N. Swett, and Ulysses Smith. Bottom left to right: Michael Keene, Mie Morikubo, Michael Pan, Amy Pereira, and Maayan G. Stein. (Photos courtesy of Debevoise & Plimpton LLP).

On March 6, 2024, the U.S. Securities and Exchange Commission (“SEC”) adopted a long-awaited final rule, The Enhancement and Standardization of Climate-Related Disclosures for Investors, which will require registrants, including foreign private issuers (“FPIs”),[1] to disclose extensive climate-related information in their registration statements and periodic reports (the “Final Rule”). The Final Rule is intended to facilitate the disclosure of “complete and decision-useful information about the impacts of climate-related risks on registrants” and to improve “the consistency, comparability, and reliability of climate-related information for investors.” The Final Rule constitutes one of the most significant changes ever to SEC disclosure requirements, and is expected to face legal challenges. The Final Rule is available here and the accompanying fact sheet is available here.

Continue reading

Hackers Turned Whistleblowers: SEC Cybersecurity Rules Weaponized Over Ransom Threat

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, and Erez Liebermann
Bottom left to right: Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue (Photos courtesy of Debevoise & Plimpton LLP)

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data. While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and Exchange Commission (the “SEC”) against its victim for failing to publicly disclose the cybersecurity incident. AlphV wrote in its complaint[1]:

We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

As we have previously reported, the SEC adopted final rules mandating disclosure of cybersecurity risk, strategy and governance, as well as material cybersecurity incidents. This includes new Item 1.05 of Form 8-K, which, beginning December 18,­ will require registrants to disclose certain information about a material cybersecurity incident within four business days of determining that a cybersecurity incident it has experienced is material. Though AlphV jumped the gun on the applicability of new Item 1.05, its familiarity with, and exploitation of their target’s public disclosure obligations is a further escalation in a steadily increasing trend of pressure tactics by leading ransom groups.

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers – Part 2 Key Takeaways

by Charu A. Chandrasekhar, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, Chris Duff, John Jacob, Amy Pereira, Ned Terrace, Luke Dembosky, and Mengyi Xu

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, and Matt Kelly.
Bottom left to right: Kelly Donoghue, Chris Duff, John Jacob, Amy Pereira, Ned Terrace, Luke Dembosky, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the SEC adopted long-anticipated final rules on cybersecurity risk management, strategy, governance and incident disclosure for issuers (“Final Rules”). We summarized the key obligations under the Final Rules, and changes from the Proposing Release,[1] in our July 27, 2023 update. In this companion update, we discuss key takeaways across three areas for issuers to consider:

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff 

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel.
Bottom left to right: Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff.
(photos courtesy of authors)

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.

Continue reading