Disclosure deadline missed
The SEC adopted cybersecurity disclosure rules in July 2023, requiring companies to disclose material incidents within four business days of determining materiality, under item 1.05 of Form 8-K. Companies can delay disclosure only if the US Attorney General determines it poses substantial national security or public safety risks.
The complaint alleges that Coupang did not receive such an exemption. The company should have filed by November 24, following its November 18 discovery of the breach, but waited until December 16.
Between discovery and disclosure, media reports prompted organizational upheaval. Park Dae-jun, CEO of Coupang’s South Korean operations, resigned December 10 after stating he would “take full responsibility for both the incident and the handling of the case.” Harold Rogers, Coupang’s general counsel and chief administrative officer, assumed the role of interim CEO of the Korean subsidiary.
