Long Anticipated SEC Cybersecurity Disclosure Rule Expected to be Finalized July 26

1 minute read | July.24.2023

The SEC has scheduled an open meeting on Wednesday to decide on the adoption of eagerly anticipated cybersecurity incident and governance reporting rules. If the agency adopts rules that align with what it proposed last year, the rules are likely to mandate that public companies disclose material cybersecurity incidents promptly upon identification. Additionally, they are expected to require annual disclosures about cybersecurity risk management, strategy and governance at the board and management level. We anticipate the agency will release final rules after the meeting, after which we will provide a comprehensive alert with full details. Want to watch the meeting? The SEC’s agenda has details on how to do that.

Authors

Bill Hughes Partner, Capital Markets, Technology Companies Group

San Francisco; Silicon Valley

See my bio

D:+1 415 773 5720
E: [email protected]

Practice:

Capital Markets
Technology Companies Group
Special Purpose Acquisition Companies (SPACs)

vCard

See full bio

Bill Hughes Partner

San Francisco; Silicon Valley

Bill counsels public and late-stage private companies on general corporate and transactional matters, including advising on initial public offerings, follow-on equity offerings, direct listings, investment grade debt offerings and convertible debt offerings. He also regularly advises companies on disclosure and reporting obligations under U.S. federal securities laws, corporate governance issues and stock exchange listing obligations.

Additionally, Bill advises founders and companies in connection with public listings through SPAC merger. Among other engagements, Bill represented Getaround, Inc., a connected carsharing marketplace, Clover Health Investments, Corp., a next-generation Medicare Advantage insurer, and the founders of DraftKings Inc., a digital sports entertainment and gaming company, in the respective de-SPAC transactions of those entities.

Chambers USA has ranked Bill for his expertise in Capital Markets Debt & Equity and noted that "He's a great lawyer, really technically sound."

J. T. Ho Partner, Corporate Governance, Capital Markets

San Francisco

See my bio

D:+1 415 773 5624
E: [email protected]

Practice:

Corporate Governance
Capital Markets
Compensation & Benefits
Environmental, Social & Corporate Governance (ESG)

vCard

See full bio

J. T. Ho Partner

San Francisco

J.T. counsels companies on Board and committee oversight, assessment and composition issues, developing effective shareholder engagement programs and governance-related disclosures, and helps companies to understand and consider the views of proxy advisors and institutional shareholders and other long-term stakeholders in their decision making. Recently, he has helped many companies successfully address ESG related shareholder proposals and activism campaigns and refine their disclosure controls and procedures and enterprise risk management programs to address cybersecurity and climate risk.

On the securities front, he focuses on advising clients in connection with securities offerings, proxy statements, periodic SEC reports, stock exchange listing obligations, stock repurchases and the sale and reporting of securities by insiders. He regularly counsels companies on difficult disclosure issues and provides training on disclosure best practices.

J.T. also advises on compensation committee matters and related disclosures as well as the design of cash and equity incentive plans, and has helped over a dozen companies remediate failed or low "say on pay" votes.

J.T. plays a leading role in Orrick’s ESG practice, helping companies identify and understand the risks and opportunities associated with ESG and incorporating ESG into a company’s overall business strategy and incentive plans. More recently, he has helped companies navigate the growing anti-ESG movement.

J.T. serves on the advisory board of The Corporate Counsel and hosts J.T.'s Fast Five, a monthly podcast on The Corporate Counsel where J.T. covers the five things public companies ought know each month. J.T. Ho also regularly presents on and contributes articles related to corporate governance, securities, executive compensation and ESG. He has presented at notable conferences sponsored by The Corporate Counsel, the Securities Regulation Institute, The Rock Center for Corporate Governance, the Society for Corporate Governance, the ABA, the Practical Law Institute, Compensation Standards, Practical ESG and NASPP. He is recognized as a Next Generation Partner by Legal 500, as one of the Ones to Watch® Best Lawyers in America, and was named a Rising Star by Super Lawyers in 2018, 2019, 2020, 2021 and 2022.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Carolyn Frantz Senior Counsel

Seattle

See my bio

Practice:

vCard

See full bio

Carolyn Frantz Senior Counsel

Seattle

A former Rhodes Scholar, Carolyn clerked for Supreme Court Justice Sandra Day O’Connor and D.C. Circuit Court of Appeals Judge David S. Tatel, before teaching at the University of Chicago Law School. She was a litigation partner at a major law firm for eight years before joining Microsoft, where she managed the company’s worldwide tax litigation until her appointment as Corporate Secretary.

As Microsoft’s Corporate Secretary, Carolyn had the opportunity to work closely with the company’s Board of Directors and senior leadership, gaining a first-hand understanding of the opportunities and challenges facing technology companies in a dynamic competitive and regulatory environment. As the head of the Corporate Legal Group, Carolyn was responsible for legal issues regarding securities law and disclosures, treasury and finance, international trade, procurement, real estate, and many other issues. Building on her extensive litigation experience, which includes managing tax disputes domestically and abroad, as well as litigating multidistrict products liability, consumer cases, and commercial contract disputes, Carolyn understands the practical challenges companies face and how those intersect with Board reporting, securities disclosures, and internal accountability. She also brings her understanding of board governance, corporate law, and ESG to select litigation matters.

Carolyn is also frequently called on to serve as a resource to new legal leaders in their roles supporting and interacting with their Boards.

Soo Hwang Of Counsel, Capital Markets, Technology Companies Group

Santa Monica

See my bio

D:+1 310 633 2821
E: [email protected]

Practice:

Capital Markets
Technology Companies Group

vCard

See full bio

Soo Hwang Of Counsel

Santa Monica

Soo counsels public and late-stage private companies on both registered and exempt offerings of securities and assists late-stage private companies as they prepare for their initial public offering. She also advises public companies on matters pertaining to corporate governance, stock exchange listing obligations and SEC reporting and disclosure obligations, including interpreting the latest rules and novel securities law issues.

Bobby Bee Practice Support Counsel, Capital Markets

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Capital Markets

vCard

See full bio

Bobby Bee Practice Support Counsel

New York

Prior to joining Orrick, he was with Lowenstein Sandler LLP from 2015 to 2022, with a practice focusing on public company governance matters and securities law compliance, including reporting and disclosure obligations under the Securities Exchange Act of 1934. He also advised companies regarding capital markets transactions including IPOs, SPACs, follow-on offerings, shelf registrations, and private placements.

Prior to Lowenstein Sandler LLP, Bobby’s experience included positions as a tax senior for Deloitte Tax LLP and a financial statement audit senior for Deloitte & Touche.

Long Anticipated SEC Cybersecurity Disclosure Rule Expected to be Finalized July 26

Also of Interest

The SEC’s Proposed Cybersecurity Disclosure Requirements: What...

The SEC's Proposed New Cybersecurity Disclosure Requirements for...

SEC Cybersecurity Disclosure Rules: Top Takeaways and Action Items...