Photo of Daniel L. Zelenko

Daniel L. Zelenko

Subscribe to Daniel L. Zelenko's Posts

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government," noting that he “is a very effective advocate who sees the whole picture," is "thoroughly knowledgeable about the legal and regulatory landscape," and that "he knows his way around the street, and knows how to work with people in difficult situations." Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Contact:Read more about Daniel L. Zelenko

The U.S. Securities and Exchange Commission (“SEC”) adopted a final rule on July 26, 2023 that requires public companies to disclose material cybersecurity incidents under new Item 1.05 of Form 8-K. Since its adoption, public companies have faced practical challenges in determining whether and when a cybersecurity incident warrants disclosure under Item 1.05.

On May 21, 2024, roughly six months after the final rule’s effective date, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement signaling that public companies should consider disclosing incidents in a different fashion under a Form 8-K.  Specific points of note:Continue Reading SEC “Encourages” Public Companies to Disclose “Immaterial” Cybersecurity Incidents Under Item 8.01 of Form 8-K

Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.Continue Reading FBI Offers Pathway to Request Delay of SEC Cybersecurity Incident Disclosures

On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations.  The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.Continue Reading Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack

On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. Continue Reading Five Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies

Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.”
Continue Reading SEC Encourages Internal Accounting Controls to Guard Against Cyber Fraud