Navigating New SEC Cybersecurity Disclosure Rules: Compliance and Reporting Guidelines for Companies

In late 2023, the U.S. Securities and Exchange Commission (SEC) adopted stringent cybersecurity disclosure rules, highlighting the increasing importance of transparency in addressing cyber incidents. The new rules under Item 1.05 of Form 8-K are part of a larger effort by regulators to ensure that investors are fully informed about material cybersecurity incidents that could impact a company’s operations or financial performance. As cyberattacks grow more sophisticated, the SEC’s rules aim to mitigate the risks by ensuring public companies report cyber incidents promptly and comprehensively. For legal professionals advising these companies, understanding the nuances of these rules and guiding clients through the compliance process is crucial.

Overview of New Cybersecurity Disclosure Rules

The new rules, effective from July 2023, require companies—both domestic and foreign—to disclose material cybersecurity incidents. Under Item 1.05 of Form 8-K, companies must disclose specific details of any material incident within four business days of determining its materiality. The required information includes the nature of the cyber incident, the scope and timing, and any material impact (or likely impact) on the company’s operations or finances.

Given the sensitive nature of cybersecurity incidents, one important provision allows for the delay of the 8-K filing if the U.S. Attorney General informs the company in writing that disclosure would pose a substantial risk to national security or public safety.

When to Disclose Cybersecurity Incidents

The challenge for many companies lies in determining when a cybersecurity incident becomes material. Materiality is generally interpreted as whether an event would significantly alter the total mix of information available to investors. Under the SEC’s guidelines, incidents may be deemed material if they compromise critical systems, expose customer or employee data, disrupt business operations, or lead to significant financial loss.

To comply, companies need to develop internal protocols to evaluate cybersecurity incidents as they arise and have well-defined criteria to determine whether an incident is material. A key element for law firms advising clients is to ensure that companies have a robust risk management and reporting system in place to detect and assess potential cyber threats in real-time.

New SEC C&DI Guidance on Cybersecurity Reporting

In conjunction with the adoption of these new rules, the SEC published three new Compliance and Disclosure Interpretations (C&DIs) to clarify the application of the rules:

Deadline After Denial of Delay Request: If a company requests a delay in filing the 8-K due to national security concerns but the Attorney General declines or does not respond, the company must file the 8-K within four business days of determining that the incident is material. The SEC clarified that merely requesting a delay does not relieve the company of its filing obligation.
Deadline After Expiration of Delay: If the Attorney General allows for a delay in filing but declines to extend the delay beyond the original time period, the company must file the 8-K within four business days of the expiration of the delay.
Filing After Early Termination of Delay: If the Attorney General terminates a previously approved delay (due to reduced national security concerns), the company must file the 8-K within four business days of the Attorney General’s notification.

These clarifications emphasize that companies must stay vigilant and closely monitor communication with the Attorney General and other relevant agencies when dealing with material cyber incidents that could impact national security or public safety.

Key Steps for Compliance

Given the complexity and potential legal ramifications of the SEC’s cybersecurity rules, law firms can play an integral role in helping clients navigate these requirements. Below are key steps to ensure compliance:

Establish Incident Response Teams: Companies should establish dedicated incident response teams that include cybersecurity experts, legal counsel, and compliance officers. These teams should be trained to evaluate cyber incidents rapidly and assess materiality based on the SEC’s guidelines.
Develop Risk Management Policies: Cybersecurity risk management should be integrated into broader corporate governance strategies. This includes adopting a robust cybersecurity policy that addresses both preventative measures and response protocols. Legal advisors should ensure that these policies are up to date with current regulatory expectations.
Timely Reporting and Communication: Companies must establish clear communication lines with legal counsel, the board of directors, and key stakeholders to ensure timely reporting of material cyber incidents. Filing deadlines must be adhered to strictly, with proper legal guidance regarding any delay requests.
Legal Oversight of National Security Concerns: If the company believes that disclosing a cyber incident poses a national security risk, legal counsel should immediately engage with the Attorney General’s office to request a delay. Regular communication and updates with government agencies are essential to avoid missing critical deadlines.
Board Oversight and Training: Boards of directors should receive regular training on the SEC’s cybersecurity requirements and the company’s internal response policies. Directors should be well-informed about their fiduciary responsibilities regarding cybersecurity risk and reporting obligations.

The Broader Impact of SEC’s Cybersecurity Rules

The SEC’s new rules signal an increased emphasis on corporate accountability when it comes to cybersecurity. As companies rely more heavily on digital infrastructure, the risk of cyberattacks becomes a pressing concern for both management and shareholders. These rules align with a broader regulatory trend that seeks to safeguard investors by ensuring that they have access to timely and accurate information about cyber risks that could impact a company’s value.

Law firms advising public companies must take a proactive approach to ensure that clients are not only compliant with the letter of the law but are also equipped to handle the challenges posed by the evolving cyber threat landscape. As cyberattacks become more sophisticated, so too must a company’s legal and operational response strategies.

Conclusion

With the adoption of the new SEC cybersecurity rules, the stakes for public companies have never been higher. Ensuring compliance with Form 8-K filing requirements and the SEC’s C&DIs is crucial for mitigating legal risks and protecting a company’s reputation. Law firms should guide clients in developing a comprehensive cybersecurity response plan that addresses risk management, legal reporting obligations, and communication with federal agencies.

As the SEC continues to refine its cybersecurity regulations, staying ahead of these changes will ensure that companies remain compliant while maintaining the trust of investors and regulators alike.

Gayatri GuptaOctober 2, 2024

Nasdaq Compliance

The Nasdaq Stock Market features three tiers of listed companies, namely: (1) The Nasdaq Global Select Market, (2) The Nasdaq Global Market, and (3) The Nasdaq Capital Market. These tiers are characterized by progressively stringent listing requirements, with the Nasdaq Global Select Market setting the highest standards for initial listings and the Nasdaq Capital Market serving as the entry-level tier, particularly suitable for most small-cap issuers.

To list securities on Nasdaq, a company must fulfill minimum listing requirements, encompassing defined criteria related to financial performance, liquidity, and corporate governance. Nasdaq retains extensive discretion in the listing process and reserves the right to reject an application, even if the technical prerequisites are satisfied, if it deems such denial essential to safeguard the interests of investors and the public.

After securing a listing on Nasdaq, a company is obligated to adhere to ongoing listing standards. To initiate the listing process, a company seeking inclusion on Nasdaq must diligently complete and submit a comprehensive listing application to Nasdaq. This application should include specific documents and information as outlined by Nasdaq's requirements.

Typically, the application process spans a duration of four to six weeks. Once the application is submitted, a Nasdaq analyst is designated as the primary liaison with the company. Within two to three weeks of submission, the company can expect to receive an initial comment letter. The comment and review process persists until a decision is reached on the approval or denial of the application. Similar to filing with the SEC, a meticulously prepared Nasdaq application tends to attract fewer comments and facilitates a more streamlined process. Generally, the company's securities counsel assumes a leading role, serving as the primary contact for preparing the application and engaging in communication with Nasdaq.

Similarly to the SEC review process, Nasdaq conducts a thorough examination of publicly accessible information pertaining to a company. This encompasses, but is not limited to, SEC filings, the company's website, management communications and speeches, as well as press releases. The iterative nature of the review process typically doesn't necessitate a formal protocol, and communication is commonly facilitated through email correspondence and phone calls.

Listing Criteria For Nasdaq
For a company to list its securities on Nasdaq, it must satisfy the following criteria:

Specific Initial Requirements:
- Quantitative Standards: Meeting defined thresholds for both quantitative and qualitative factors.
- Qualitative Standards: Fulfilling certain qualitative benchmarks.
Continuing Requirements:
- Quantitative Criteria: Adhering to ongoing quantitative benchmarks.
- Qualitative Criteria: Maintaining specified qualitative standards.

The initial quantitative thresholds are typically set at a higher level than those required for continued listing. This distinction aims to ensure that companies achieve a sufficient level of maturity before being listed. Additionally, Nasdaq imposes rigorous corporate governance standards that listed companies must adhere to throughout their tenure on the exchange.

Before formally submitting a comprehensive listing application, a company has the option to pursue a preliminary listing eligibility review. In this stage, the Listing Qualifications Staff conducts a thorough examination of the company's public filings to assess its compliance with numerical listing requirements. Additionally, the team evaluates the company's adherence to corporate governance requirements outlined in the Marketplace Rules ("Rules"). This preliminary review provides valuable insights into the company's eligibility for listing on Nasdaq before committing to the full application process.

Upon completion of the preliminary review, the Listing Qualifications Staff will make an assessment regarding whether the company meets the numerical listing criteria. Additionally, any corporate governance or regulatory concerns raised during this phase will be considered to determine their impact on the listing approval. It's important to note that while the preliminary review provides insights, final approval necessitates the submission of a formal listing application. This application undergoes a thorough examination by the NASDAQ Listing Qualifications Staff. Furthermore, the final approval process involves satisfactory compliance with specific qualitative reviews. This includes an examination of the regulatory history of the company's officers, directors, and significant shareholders. Meeting these criteria is integral to obtaining the final approval for listing on Nasdaq.

Financial And Liquidity Requirements

    Requirements

    Equity Standard
    Market Value of Listed Standard
    Net Income Standard

    Listing Rules

    5505(a)
and
5505(b)(1)
    5505(a)
and
5505(b)(2)
    5505(a)
and
5505(b)(3)
    
    Stockholders Equity

    	$5 million
    	$4 million
    	$4 million
    
    The market value of publicly held shares

    $15 million
    $15 million
    $
      5 million
    
    Operating History

    	Two years
    N/A
    N/A
    
    The market value of listed securities

    N/A
    $50 million
    N/A
    
    Net income from continuing operations (in the latest fiscal
a year or in two of the last three
fiscal years)

    N/A
    N/A
    $750,000
    
    Publicly held shares

    	1 million
    	1 million
    	1 million
    
    Bid Price

    	$4
    	$4
    	$4)
    
    Closing Price

    	$3
    	$2
    	$43
    
    Corporate Governance

    Yes
    Yes
    Yes
    
    Total Shareholders

    300
    300
    300

Corporate Governance Requirements

Across all three tiers of the Nasdaq Stock Market, corporate governance requirements remain largely consistent. The categories encompassing corporate governance standards include:

Distribution of Annual or Interim Reports
Independent Directors
Audit Committee
Compensation Committee
Nomination of Directors
Code of Conduct
Annual Meetings
Solicitation of Proxies
Quorum
Conflict of Interest
Shareholder Approval
Voting Rights

These governance elements play a crucial role in ensuring transparency, accountability, and ethical conduct within listed companies, irrespective of the specific tier within the Nasdaq Stock Market.

Companies seeking listing on Nasdaq must adhere to specific corporate governance standards, including the following:

Compensation Committee with Independent Directors:
- The company is required to establish a compensation committee comprised of independent directors.
- The committee must consist of at least two members.
- Rule 5605(d)(2)(A) introduces an additional independence test for compensation committee members.
Responsibility for Executive Compensation:
- The compensation committee is tasked with determining or recommending to the entire board the compensation of the chief executive officer (CEO) and all other executive officers.

These standards are designed to ensure a level of independence and scrutiny in the decision-making processes related to executive compensation within the company.

The Application And Documents

The Nasdaq application package encompasses several key components:

Symbol Reservation Form:
- Used to request the reservation of a specific trading symbol for the company.
Listing Application:
- Requires supplemental documents and details about the company's financials, operations, and other pertinent information.
Listing Agreement:
- A formal agreement outlining the terms and conditions of the listing on Nasdaq.
Corporate Governance Certification:
- A certification affirming the company's commitment to meeting Nasdaq's corporate governance standards.
Initial Application Fee:
- Payable via check or wire transfer, this fee is a prerequisite for initiating the listing process.
Logo Submission Form:
- Used for submitting the company's logo for use in Nasdaq's materials.

These application forms are completed through the Nasdaq website listing center, utilizing the online platform to facilitate the submission of supplemental and supporting documents. It is advisable to thoroughly review all required paperwork in advance, ensuring that the necessary information is readily available before initiating the application process.

Symbol Reservation Form

The symbol reservation form is a concise, one-page electronic form where applicants input information for Nasdaq's consideration. Nasdaq symbols, limited to 1-5 characters, adhere to guidelines established by the Intermarket Symbols Reservation Authority (ISRA). The ISRA system is designed to organize symbols efficiently, prevent duplication, and reduce programming and operational complexities. The ISRA operates within the framework of the NMS Symbology Plan, a plan utilized by Nasdaq.

Key details about the symbol reservation process:

Symbol Choices:
- The form allows applicants to propose three symbol choices in order of preference.
- While Nasdaq generally honors the first choice if available, it retains the authority to assign, rescind, or reassign a trading symbol at its discretion.
ISRA and Nasdaq Authority:
- The ISRA and Nasdaq have overarching authority in managing the assignment of symbols.
Additional Information:
- The form captures essential details about the issuer and the planned public offering.
- Information may include the name of the attorney, lead underwriter (if applicable), CEO and CFO names, yearly revenues, company website, and the sector in which the company operates.

Completion of this symbol reservation form initiates the process of securing a trading symbol on Nasdaq, and it's essential to provide accurate and comprehensive information to facilitate this stage of the listing application.

The Application

The Nasdaq listing application process is comprehensive and varies based on the circumstances surrounding the listing sought. There are twelve distinct listing applications catering to different situations, including changes of control, switches from other exchanges or markets, spin-offs, and initial public offerings (IPOs). Each application, spanning approximately seven pages, collects detailed information about the company, covering areas such as address, contact and billing details, securities attorney and auditor information, transfer agent particulars, and the company's officers and directors. Specific information on the company's securities, including type, par value, and cusip number, is also required.

Furthermore, the application mandates disclosure of legal proceedings involving the company, its officers or directors, or significant shareholders over the past ten years. This encompasses inquiries, investigations, lawsuits, litigation, arbitrations, and other legal and administrative proceedings. Documents supporting the backup and final disposition of these matters must be provided.

Regarding private offerings within the prior six months, including bridge financings, shelf registrations, and Regulation S offerings, the company is required to disclose such activities. Additionally, the application delves into the company's background, posing questions to ensure compliance with seasoning rules.

While Nasdaq retains the right to request relevant supporting documents, specific documents are mandatory based on the application type. For an uplisting from an existing U.S. market, the application must include letters from three market makers confirming their commitment to making a market in the subject securities. Other required documents include a listing agreement, a logo submission form, a corporate governance certification form, regulatory correspondence over the past 12 months, and shareholder confirmation documents. Nasdaq often seeks confirmation from the company's transfer agent regarding the eligibility of the security for the direct registration program (DRS).

During the review of an up listing application, Nasdaq may request additional information, such as a Broadridge share range analysis and NOBO list, a certified shareholder list, details about mitigating any going concerns or opinions, income statement and/or balance sheet projections for the next 12 months, and confirmation of Sarbanes Oxley Section 302 and 906 certifications by the company, among other inquiries related to compliance and financial matters.

The Listing Agreement

The Listing Agreement is a concise document, spanning two pages, serving as a formal affirmation of the company's commitment to adhere to all rules and regulations set forth by the Nasdaq Stock Market. It includes provisions for indemnifying and holding Nasdaq harmless from liability. Notable points in the agreement include:

Compliance Assurance:
- The company explicitly agrees to comply with all rules and regulations stipulated by the Nasdaq Stock Market.
Indemnification Clause:
- The company indemnifies Nasdaq, meaning it undertakes to compensate or reimburse Nasdaq for any losses or damages incurred. This includes harm resulting from third-party trademark infringement claims related to the company's symbol and logo, as well as Nasdaq's use of the same.
Disclaimer of Warranty and Liability:
- The agreement contains a disclaimer of warranty and liability against Nasdaq for trading issues, with the exception of those resulting from gross negligence or willful misconduct.

This agreement establishes a clear framework for the relationship between the listed company and Nasdaq, emphasizing the company's commitment to regulatory compliance while providing indemnification for certain specified matters and delineating the scope of Nasdaq's liability.

Corporate Governance Certification Form

The corporate governance certification form certifies compliance with the governance requirements related to an audit committee, director nomination process, compensation committee, board composition, executive sessions, quorum, and codes of conduct. Where an exemption applies, the form requires specification of the exemption terms. The document specifies the different rules and exceptions in a check-the-box format.

Logo Submission Form

The logo submission form contains the guidelines for the logo and affirms Nasdaq’s rights to use the same. Nasdaq uses company logos in its marketing materials, on the MarketSite Video Wall and Tower, and websites.

Fees

Entry fees are based upon the aggregate number of shares to be listed at the time of initial listing, regardless of class, with a maximum cap of $75,000. Fees are assessed on the entry date in The Nasdaq Capital Market, except for $5,000, representing a non-refundable application fee. This fee must be submitted with the company’s application.

Nasdaq does not charge application or entry fees for any securities transferred from a national securities exchange.

Benefits Of Trading On An Exchange

There are many benefits to trading on an exchange instead of the OTC Markets. The most significant benefits to a business are the ability to attract analyst coverage and institutional investors and the corresponding increase in liquidity that comes with both. Stocks that trade on Nasdaq tend to have a lower bid/offer spread — again encouraging trading volume and liquidity. Exchange-traded securities are exempt from the penny stock definition, allowing more market maker and broker-dealer participation. As further explained below, a broker-dealer cannot recommend a penny stock transaction to its retail clients. Therefore, no analysts, financial advisors, or institutional investors make recommendations for purchases of penny stocks.

As an aside, this is one of the reasons that OTC Markets created the OTCQX market tier, which does not list penny stocks. It is also why the small-cap industry is pushing for a supported valid venture exchange (for further reading.

In today’s world, depositing stock and/or trade-in non-exchange traded securities is increasingly difficult. Despite the congressional efforts and SEC rulemaking in support of small-cap capital formation (for example, the JOBS Act, including the emerging growth company regulations, new Regulation A+ and Title III Crowdfunding and the new FAST Act), through enforcement and investigative proceedings, both the SEC and FINRA continue to apply pressure on broker-dealers, clearing firms and transfer agents to reduce the secondary trading and free flow of penny stocks. For more information on difficulties in depositing stocks.

Further On Penny Stocks

NASDAQ and NYSE MKT traded securities are exempted from the definition of a “penny stock” due to the initial and ongoing listing standards. Penny stock rules focus on broker-dealers’ activity in effectuating trades in penny stocks. The Securities Enforcement Remedies and Penny Stock Reform Act of 1990 (the “Penny Stock Act”) prohibits broker-dealers from effecting transactions in penny stocks unless they comply with the requirements of Section 15(h) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). The rules promulgated thereunder, particularly Exchange Act rules 15g-1 through 15g-100 (the “penny stock rules”).

Section 15(h) of the Exchange Act provides that no broker or dealer may effectuate a customer’s purchase or sale of any penny stock unless such broker or dealer.

Approves the customer for the specific penny stock transaction and receives a written agreement to the transaction from the customer.
Furnishes the customer a risk disclosure document describing the risks of investing in penny stocks.
Discloses to the customer the current market quotation, if any, for the penny stock, including the bid and ask prices and the number of shares that apply to such bid and ask prices.
Discloses to the customer the amount of compensation the firm and its broker will receive for the trade.

In addition, after executing the sale, a broker-dealer must send its customer monthly account statements showing the market value of each penny stock held in the customer’s account.

Moreover, brokers and dealers subject to the penny stock rules are subject to additional disclosure requirements outlined in Rules 15g-2 through 15g-9. For my information on penny stocks and the rules affecting broker-dealer activity.

Securities Lawyer Blog