Davis Polk partner Robert Cohen was quoted in Cybersecurity Law Report on the SEC’s proposed rules to require companies to disclose more details on cyber efforts and to reveal significant incidents in 8-K filings. Robert said, “Most public companies and practitioners have experienced that the vast majority, or a very high percentage, of incidents they see are not material from a financial reporting perspective. A central focus during incident response when it comes to notice is the state and consumer protection requirements. Those are precise notice requirements [with a few familiar components.] The SEC materiality requirement can be more complicated.”

Robert continued, “It is important to be able to show after the fact what process the company used and why it was reasonable, and also that you had the right people involved, the right amount of resources [invested] and the right structure.”

SEC Cyber Rules: How to Prepare for the New 8-K Incident Mandate,” Cybersecurity Law Report (August 10, 2022)