News in brief: SEC cyber risk deadline, Wells Fargo deal, 9/11 fund

September 5 marked the effective date of the mandate for publicly traded companies to notify the US SEC of a cyberattack within four days of a material cybersecurity incident. December 15 is when companies are required to notify investors.

Under the new rule, registrants must disclose material cybersecurity incidents they experience, and disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. Within the new rule, the SEC also adopted rules requiring foreign private issuers to make comparable disclosures.

In terms of reporting incidents, the rule says new Item 1.05 of Form 8-K should be incorporated and used to describe any cybersecurity incident the business determines to be material and why, noting the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

This should happen within a four-day timeframe of the incident being deemed material by the registrant, barring any intervention by the US Attorney General for national security or public safety reasons.

If your company’s cybersecurity incident response mechanisms and materiality decision-making processes are a mix of evolving consultants and internal stakeholders – awash in an array of spreadsheets – you should consider revisiting these processes to draw up a trusted and consistent methodology that incorporates sound cybersecurity acumen, knowledge of the business’s unique risks, and careful documentation processes.

Wells Fargo deal is sealed

A New York federal judge on Friday signed off on a massive $1 billion deal between Wells Fargo and its shareholders, terminating a three-year legal battle accusing the bank of misleading investors about the progress it was making in overhauling its internal compliance program in an effort to end further scrutiny by government authorities.

The Wells Fargo sales fraud scandal came to light nearly a decade ago; from 2002 to 2016, bank employees, facing unrealistic sales goals imposed by their bosses, opened millions of accounts in customers’ names without their knowledge.

The deal finalized on Friday “demonstrates how critical institutional investors are to keeping the banking industry and securities markets honest”.
Laura Posner, partner, Cohen Milstein

Wells Fargo removed top executives and promised lawmakers and regulators it would fix the internal deficiencies that caused the scandal and other practices that put customers at risk. The shareholder plaintiffs, including some pension funds, said Wells Fargo defrauded investors by giving the false impression that it was further along in the process of tackling regulators’ orders than it had disclosed at the time.

Laura Posner, a partner at the law firm Cohen Milstein, which represented the shareholders in the case, said the deal finalized on Friday “demonstrates how critical institutional investors are to keeping the banking industry and securities markets honest”.

9/11 Victim Compensation Fund

On Monday, NY Governor Kathy Hochul signed a bill into law to notify thousands of people who may be eligible for assistance through the 9/11 Victim Compensation Fund.

The bill, known as the 9/11 Notice Act, requires businesses that operated near Ground Zero during the terror attacks on September 11, 2001, to notify employees who worked in downtown Manhattan at the time that they could be eligible for the federal benefits and health monitoring. The proposal applies to businesses that employed 50 or more people at the time, or about 360,000 people.

About half a million people who worked, lived or attended school in the Ground Zero exposure zone – which extends to Canal Street, plus the Brooklyn neighborhoods of Dumbo, Brooklyn Heights and others – were exposed to the toxic dust and have increased risk of developing acute respiratory ailments.