New SEC Cybersecurity Disclosure Rules: Key Reporting Requirements and National Security Concerns

Cybersecurity continues to be a critical concern for businesses, investors, and regulators alike. In response to the growing number of cyber incidents impacting public companies, the U.S. Securities and Exchange Commission (SEC) has intensified its focus on cybersecurity disclosures. The SEC's new rules, adopted in July 2023, emphasize transparency and accountability in managing and reporting cybersecurity incidents. These rules affect both domestic and foreign companies and require timely disclosure of material cybersecurity events, as well as enhanced reporting on cybersecurity risk management, strategy, and governance.

Overview of the New Cybersecurity Disclosure Requirements

The SEC's final rules mandate that companies disclose material cybersecurity incidents in their Form 8-K filings, under Item 1.05. This new section specifies that companies must file a report within four business days after determining that a cybersecurity incident is material. The disclosure should include:

The nature of the incident (What happened? Was there data theft, operational disruption, etc.?)
The scope and timing of the incident (How widespread was it, and when did it occur?)
Material impact or the reasonably likely impact on the company (How has this affected the business, or how might it in the future?)

Companies need to closely monitor their operations and cybersecurity posture, ensuring that they identify and assess the materiality of any cyber incident promptly. This requirement ensures that investors receive timely and accurate information about incidents that could significantly affect the company’s financial standing or reputation.

Delaying Disclosures for National Security Concerns

Given the sensitive nature of cybersecurity incidents, the SEC has included provisions allowing for a delay in disclosure if certain conditions are met. Companies may delay reporting a material cybersecurity event if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. In such cases, the Attorney General must provide written notice of this determination to the SEC.

The potential delay in disclosure includes:

An initial period of up to 30 days, with the possibility of a further 30-day extension upon request by the Attorney General.
In extraordinary cases, the disclosure can be delayed for an additional 60 days if the Attorney General determines the national security risk still exists.

It’s also worth noting that a company may delay filing Form 8-K for up to seven business days after notifying the Secret Service and FBI about a breach of customer proprietary network information (under FCC rules), with written notification to the SEC. These delay provisions provide flexibility for companies handling highly sensitive information but also set clear guidelines to prevent indefinite withholding of critical information from investors.

Understanding the SEC’s New C&DI on Cybersecurity Disclosures

To further clarify the new rules, the SEC has published three Compliance and Disclosure Interpretations (C&DIs), which address specific situations related to Form 8-K filing requirements:

Question 104B.01: If a company experiences a material cybersecurity incident and requests a delay from the Attorney General, but the Attorney General declines or fails to respond before the Form 8-K is due, the company must file the Form 8-K within four business days of determining the incident is material. Simply requesting a delay does not alter the company’s filing obligation unless the Attorney General confirms that a delay is necessary.
Question 104B.02: If the Attorney General grants a delay but does not extend the delay beyond the initial period, the company must file the Form 8-K within four business days after the expiration of the delay period.
Question 104B.03: If the Attorney General withdraws the delay before the granted period expires (by determining that disclosure no longer poses a national security or public safety risk), the company must file the Form 8-K within four business days of receiving this notification.

These interpretations provide companies with much-needed guidance on how to manage their obligations when they are handling cybersecurity incidents that involve potential risks to national security.

Impact on Governance and Risk Management Disclosures

Beyond incident reporting, the SEC’s final rules require companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance in annual reports. Specifically, companies must describe:

How they assess, identify, and manage cybersecurity risks.
How their cybersecurity risk management strategy aligns with the company’s business objectives.
The board of directors’ oversight of cybersecurity risks, including whether any board member has expertise in cybersecurity.
Management’s role in implementing cybersecurity risk controls, and the extent to which risk management responsibilities are delegated to specific individuals or committees.

This focus on governance is part of the SEC’s broader push for greater accountability at the leadership level. By requiring transparency in how companies manage and oversee cybersecurity risks, the SEC is urging companies to adopt robust governance frameworks and ensure that cybersecurity is a board-level priority.

Challenges and Best Practices for Companies

While the new rules increase transparency, they also place additional compliance burdens on companies. Here are some best practices to consider when navigating the SEC's cybersecurity disclosure requirements:

Proactively Manage Cybersecurity Risks: Companies should regularly assess and update their cybersecurity programs to mitigate risks effectively. This includes implementing preventive measures, conducting regular audits, and ensuring that both management and the board are informed about the latest cybersecurity threats.
Develop Clear Incident Response Protocols: Having an efficient incident response plan is essential. Companies should know how to identify a material incident quickly and ensure that the necessary stakeholders are engaged. Timely decision-making is crucial, particularly when considering the four-business-day window for filing Form 8-K.
Coordinate with Legal Counsel on National Security Concerns: Companies facing incidents with potential national security implications should work closely with legal counsel to navigate the complexities of delayed disclosure and ensure compliance with both SEC regulations and national security protocols.
Enhance Board Oversight: Companies should consider appointing or engaging board members with expertise in cybersecurity. Given the importance of board oversight in the SEC’s new governance rules, having the right individuals in place can bolster both compliance and the company’s overall cybersecurity posture.
Stay Informed About Evolving Cyber Threats: The landscape of cybersecurity risks is constantly evolving. Companies should continuously educate their teams on emerging threats and adjust their strategies accordingly.

Conclusion

The SEC’s new cybersecurity disclosure rules signal a significant shift in how companies are expected to manage and report cybersecurity risks. By requiring timely disclosure of material incidents, focusing on governance, and offering provisions for delayed reporting in national security cases, the SEC is raising the bar for corporate cybersecurity transparency. Companies must now be prepared not only to respond swiftly to cyber incidents but also to disclose them accurately and promptly while balancing national security concerns. Compliance with these rules will require ongoing vigilance, robust cybersecurity governance, and close collaboration with legal counsel and regulatory bodies.

Gayatri GuptaOctober 4, 2024

Nasdaq Compliance

The Nasdaq Stock Market features three tiers of listed companies, namely: (1) The Nasdaq Global Select Market, (2) The Nasdaq Global Market, and (3) The Nasdaq Capital Market. These tiers are characterized by progressively stringent listing requirements, with the Nasdaq Global Select Market setting the highest standards for initial listings and the Nasdaq Capital Market serving as the entry-level tier, particularly suitable for most small-cap issuers.

To list securities on Nasdaq, a company must fulfill minimum listing requirements, encompassing defined criteria related to financial performance, liquidity, and corporate governance. Nasdaq retains extensive discretion in the listing process and reserves the right to reject an application, even if the technical prerequisites are satisfied, if it deems such denial essential to safeguard the interests of investors and the public.

After securing a listing on Nasdaq, a company is obligated to adhere to ongoing listing standards. To initiate the listing process, a company seeking inclusion on Nasdaq must diligently complete and submit a comprehensive listing application to Nasdaq. This application should include specific documents and information as outlined by Nasdaq's requirements.

Typically, the application process spans a duration of four to six weeks. Once the application is submitted, a Nasdaq analyst is designated as the primary liaison with the company. Within two to three weeks of submission, the company can expect to receive an initial comment letter. The comment and review process persists until a decision is reached on the approval or denial of the application. Similar to filing with the SEC, a meticulously prepared Nasdaq application tends to attract fewer comments and facilitates a more streamlined process. Generally, the company's securities counsel assumes a leading role, serving as the primary contact for preparing the application and engaging in communication with Nasdaq.

Similarly to the SEC review process, Nasdaq conducts a thorough examination of publicly accessible information pertaining to a company. This encompasses, but is not limited to, SEC filings, the company's website, management communications and speeches, as well as press releases. The iterative nature of the review process typically doesn't necessitate a formal protocol, and communication is commonly facilitated through email correspondence and phone calls.

Listing Criteria For Nasdaq
For a company to list its securities on Nasdaq, it must satisfy the following criteria:

Specific Initial Requirements:
- Quantitative Standards: Meeting defined thresholds for both quantitative and qualitative factors.
- Qualitative Standards: Fulfilling certain qualitative benchmarks.
Continuing Requirements:
- Quantitative Criteria: Adhering to ongoing quantitative benchmarks.
- Qualitative Criteria: Maintaining specified qualitative standards.

The initial quantitative thresholds are typically set at a higher level than those required for continued listing. This distinction aims to ensure that companies achieve a sufficient level of maturity before being listed. Additionally, Nasdaq imposes rigorous corporate governance standards that listed companies must adhere to throughout their tenure on the exchange.

Before formally submitting a comprehensive listing application, a company has the option to pursue a preliminary listing eligibility review. In this stage, the Listing Qualifications Staff conducts a thorough examination of the company's public filings to assess its compliance with numerical listing requirements. Additionally, the team evaluates the company's adherence to corporate governance requirements outlined in the Marketplace Rules ("Rules"). This preliminary review provides valuable insights into the company's eligibility for listing on Nasdaq before committing to the full application process.

Upon completion of the preliminary review, the Listing Qualifications Staff will make an assessment regarding whether the company meets the numerical listing criteria. Additionally, any corporate governance or regulatory concerns raised during this phase will be considered to determine their impact on the listing approval. It's important to note that while the preliminary review provides insights, final approval necessitates the submission of a formal listing application. This application undergoes a thorough examination by the NASDAQ Listing Qualifications Staff. Furthermore, the final approval process involves satisfactory compliance with specific qualitative reviews. This includes an examination of the regulatory history of the company's officers, directors, and significant shareholders. Meeting these criteria is integral to obtaining the final approval for listing on Nasdaq.

Financial And Liquidity Requirements

    Requirements

    Equity Standard
    Market Value of Listed Standard
    Net Income Standard

    Listing Rules

    5505(a)
and
5505(b)(1)
    5505(a)
and
5505(b)(2)
    5505(a)
and
5505(b)(3)
    
    Stockholders Equity

    	$5 million
    	$4 million
    	$4 million
    
    The market value of publicly held shares

    $15 million
    $15 million
    $
      5 million
    
    Operating History

    	Two years
    N/A
    N/A
    
    The market value of listed securities

    N/A
    $50 million
    N/A
    
    Net income from continuing operations (in the latest fiscal
a year or in two of the last three
fiscal years)

    N/A
    N/A
    $750,000
    
    Publicly held shares

    	1 million
    	1 million
    	1 million
    
    Bid Price

    	$4
    	$4
    	$4)
    
    Closing Price

    	$3
    	$2
    	$43
    
    Corporate Governance

    Yes
    Yes
    Yes
    
    Total Shareholders

    300
    300
    300

Corporate Governance Requirements

Across all three tiers of the Nasdaq Stock Market, corporate governance requirements remain largely consistent. The categories encompassing corporate governance standards include:

Distribution of Annual or Interim Reports
Independent Directors
Audit Committee
Compensation Committee
Nomination of Directors
Code of Conduct
Annual Meetings
Solicitation of Proxies
Quorum
Conflict of Interest
Shareholder Approval
Voting Rights

These governance elements play a crucial role in ensuring transparency, accountability, and ethical conduct within listed companies, irrespective of the specific tier within the Nasdaq Stock Market.

Companies seeking listing on Nasdaq must adhere to specific corporate governance standards, including the following:

Compensation Committee with Independent Directors:
- The company is required to establish a compensation committee comprised of independent directors.
- The committee must consist of at least two members.
- Rule 5605(d)(2)(A) introduces an additional independence test for compensation committee members.
Responsibility for Executive Compensation:
- The compensation committee is tasked with determining or recommending to the entire board the compensation of the chief executive officer (CEO) and all other executive officers.

These standards are designed to ensure a level of independence and scrutiny in the decision-making processes related to executive compensation within the company.

The Application And Documents

The Nasdaq application package encompasses several key components:

Symbol Reservation Form:
- Used to request the reservation of a specific trading symbol for the company.
Listing Application:
- Requires supplemental documents and details about the company's financials, operations, and other pertinent information.
Listing Agreement:
- A formal agreement outlining the terms and conditions of the listing on Nasdaq.
Corporate Governance Certification:
- A certification affirming the company's commitment to meeting Nasdaq's corporate governance standards.
Initial Application Fee:
- Payable via check or wire transfer, this fee is a prerequisite for initiating the listing process.
Logo Submission Form:
- Used for submitting the company's logo for use in Nasdaq's materials.

These application forms are completed through the Nasdaq website listing center, utilizing the online platform to facilitate the submission of supplemental and supporting documents. It is advisable to thoroughly review all required paperwork in advance, ensuring that the necessary information is readily available before initiating the application process.

Symbol Reservation Form

The symbol reservation form is a concise, one-page electronic form where applicants input information for Nasdaq's consideration. Nasdaq symbols, limited to 1-5 characters, adhere to guidelines established by the Intermarket Symbols Reservation Authority (ISRA). The ISRA system is designed to organize symbols efficiently, prevent duplication, and reduce programming and operational complexities. The ISRA operates within the framework of the NMS Symbology Plan, a plan utilized by Nasdaq.

Key details about the symbol reservation process:

Symbol Choices:
- The form allows applicants to propose three symbol choices in order of preference.
- While Nasdaq generally honors the first choice if available, it retains the authority to assign, rescind, or reassign a trading symbol at its discretion.
ISRA and Nasdaq Authority:
- The ISRA and Nasdaq have overarching authority in managing the assignment of symbols.
Additional Information:
- The form captures essential details about the issuer and the planned public offering.
- Information may include the name of the attorney, lead underwriter (if applicable), CEO and CFO names, yearly revenues, company website, and the sector in which the company operates.

Completion of this symbol reservation form initiates the process of securing a trading symbol on Nasdaq, and it's essential to provide accurate and comprehensive information to facilitate this stage of the listing application.

The Application

The Nasdaq listing application process is comprehensive and varies based on the circumstances surrounding the listing sought. There are twelve distinct listing applications catering to different situations, including changes of control, switches from other exchanges or markets, spin-offs, and initial public offerings (IPOs). Each application, spanning approximately seven pages, collects detailed information about the company, covering areas such as address, contact and billing details, securities attorney and auditor information, transfer agent particulars, and the company's officers and directors. Specific information on the company's securities, including type, par value, and cusip number, is also required.

Furthermore, the application mandates disclosure of legal proceedings involving the company, its officers or directors, or significant shareholders over the past ten years. This encompasses inquiries, investigations, lawsuits, litigation, arbitrations, and other legal and administrative proceedings. Documents supporting the backup and final disposition of these matters must be provided.

Regarding private offerings within the prior six months, including bridge financings, shelf registrations, and Regulation S offerings, the company is required to disclose such activities. Additionally, the application delves into the company's background, posing questions to ensure compliance with seasoning rules.

While Nasdaq retains the right to request relevant supporting documents, specific documents are mandatory based on the application type. For an uplisting from an existing U.S. market, the application must include letters from three market makers confirming their commitment to making a market in the subject securities. Other required documents include a listing agreement, a logo submission form, a corporate governance certification form, regulatory correspondence over the past 12 months, and shareholder confirmation documents. Nasdaq often seeks confirmation from the company's transfer agent regarding the eligibility of the security for the direct registration program (DRS).

During the review of an up listing application, Nasdaq may request additional information, such as a Broadridge share range analysis and NOBO list, a certified shareholder list, details about mitigating any going concerns or opinions, income statement and/or balance sheet projections for the next 12 months, and confirmation of Sarbanes Oxley Section 302 and 906 certifications by the company, among other inquiries related to compliance and financial matters.

The Listing Agreement

The Listing Agreement is a concise document, spanning two pages, serving as a formal affirmation of the company's commitment to adhere to all rules and regulations set forth by the Nasdaq Stock Market. It includes provisions for indemnifying and holding Nasdaq harmless from liability. Notable points in the agreement include:

Compliance Assurance:
- The company explicitly agrees to comply with all rules and regulations stipulated by the Nasdaq Stock Market.
Indemnification Clause:
- The company indemnifies Nasdaq, meaning it undertakes to compensate or reimburse Nasdaq for any losses or damages incurred. This includes harm resulting from third-party trademark infringement claims related to the company's symbol and logo, as well as Nasdaq's use of the same.
Disclaimer of Warranty and Liability:
- The agreement contains a disclaimer of warranty and liability against Nasdaq for trading issues, with the exception of those resulting from gross negligence or willful misconduct.

This agreement establishes a clear framework for the relationship between the listed company and Nasdaq, emphasizing the company's commitment to regulatory compliance while providing indemnification for certain specified matters and delineating the scope of Nasdaq's liability.

Corporate Governance Certification Form

The corporate governance certification form certifies compliance with the governance requirements related to an audit committee, director nomination process, compensation committee, board composition, executive sessions, quorum, and codes of conduct. Where an exemption applies, the form requires specification of the exemption terms. The document specifies the different rules and exceptions in a check-the-box format.

Logo Submission Form

The logo submission form contains the guidelines for the logo and affirms Nasdaq’s rights to use the same. Nasdaq uses company logos in its marketing materials, on the MarketSite Video Wall and Tower, and websites.

Fees

Entry fees are based upon the aggregate number of shares to be listed at the time of initial listing, regardless of class, with a maximum cap of $75,000. Fees are assessed on the entry date in The Nasdaq Capital Market, except for $5,000, representing a non-refundable application fee. This fee must be submitted with the company’s application.

Nasdaq does not charge application or entry fees for any securities transferred from a national securities exchange.

Benefits Of Trading On An Exchange

There are many benefits to trading on an exchange instead of the OTC Markets. The most significant benefits to a business are the ability to attract analyst coverage and institutional investors and the corresponding increase in liquidity that comes with both. Stocks that trade on Nasdaq tend to have a lower bid/offer spread — again encouraging trading volume and liquidity. Exchange-traded securities are exempt from the penny stock definition, allowing more market maker and broker-dealer participation. As further explained below, a broker-dealer cannot recommend a penny stock transaction to its retail clients. Therefore, no analysts, financial advisors, or institutional investors make recommendations for purchases of penny stocks.

As an aside, this is one of the reasons that OTC Markets created the OTCQX market tier, which does not list penny stocks. It is also why the small-cap industry is pushing for a supported valid venture exchange (for further reading.

In today’s world, depositing stock and/or trade-in non-exchange traded securities is increasingly difficult. Despite the congressional efforts and SEC rulemaking in support of small-cap capital formation (for example, the JOBS Act, including the emerging growth company regulations, new Regulation A+ and Title III Crowdfunding and the new FAST Act), through enforcement and investigative proceedings, both the SEC and FINRA continue to apply pressure on broker-dealers, clearing firms and transfer agents to reduce the secondary trading and free flow of penny stocks. For more information on difficulties in depositing stocks.

Further On Penny Stocks

NASDAQ and NYSE MKT traded securities are exempted from the definition of a “penny stock” due to the initial and ongoing listing standards. Penny stock rules focus on broker-dealers’ activity in effectuating trades in penny stocks. The Securities Enforcement Remedies and Penny Stock Reform Act of 1990 (the “Penny Stock Act”) prohibits broker-dealers from effecting transactions in penny stocks unless they comply with the requirements of Section 15(h) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). The rules promulgated thereunder, particularly Exchange Act rules 15g-1 through 15g-100 (the “penny stock rules”).

Section 15(h) of the Exchange Act provides that no broker or dealer may effectuate a customer’s purchase or sale of any penny stock unless such broker or dealer.

Approves the customer for the specific penny stock transaction and receives a written agreement to the transaction from the customer.
Furnishes the customer a risk disclosure document describing the risks of investing in penny stocks.
Discloses to the customer the current market quotation, if any, for the penny stock, including the bid and ask prices and the number of shares that apply to such bid and ask prices.
Discloses to the customer the amount of compensation the firm and its broker will receive for the trade.

In addition, after executing the sale, a broker-dealer must send its customer monthly account statements showing the market value of each penny stock held in the customer’s account.

Moreover, brokers and dealers subject to the penny stock rules are subject to additional disclosure requirements outlined in Rules 15g-2 through 15g-9. For my information on penny stocks and the rules affecting broker-dealer activity.

Securities Lawyer Blog