On March 9, 2022, the Securities and Exchange Commission (“SEC”) held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. If adopted, the new rules would impose substantial new reporting obligations with respect to material cybersecurity incidents and cybersecurity risk management, strategy, and governance for both domestic and foreign private issuers subject to the reporting requirements under the Securities Exchange Act of 1934.
The proposed rules are motivated by what the SEC staff and several commissioners characterized as shortcomings in the current disclosure regime, which they believe have led to public company cybersecurity disclosures that are inconsistent in their level of detail, timing, and placement. In proposing the rules, the SEC hopes to improve the consistency and comparability of cybersecurity disclosures among public companies. The proposal posits that investors would benefit from more timely and consistent disclosures regarding material cybersecurity incidents, due to the potential impact that such incidents can have on the financial performance or position of a company, and that investors would be able to better assess whether and how companies are managing cybersecurity risks across companies and industries.
Key Definitions
Under the proposed rules, the following key terms are defined as follows:
- “Cybersecurity incident” means an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of its information systems or any information residing therein. What constitutes a “cybersecurity incident” for purposes of the proposal should, according to the proposing release, be construed broadly and may result from any one or more of the following: an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches.
- “Cybersecurity threat” means any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
- “Information systems” means information resources, owned or used by a company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the company’s information to maintain or support the registrant’s operations.
Current Reporting on Form 8-K and Form 6-K
A central element of the proposal is the amendment of Form 8-K to add Item 1.05, which would require domestic public companies to disclose information about a cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. The proposal notes that in some cases, the date of the company’s materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date. The new disclosure would require the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the company has remediated or is currently remediating the incident.
A company’s materiality determination would be based on existing principles as explained by the SEC and courts over the years. The proposal includes a non-exclusive list of examples of cybersecurity incidents that may, if determined to be material, trigger the proposed Item 1.05 disclosure requirement:
- An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network), or violated the registrant’s security policies or procedures. Such incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
- An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
- An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company;
- An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or,
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Failure to file a timely Form 8-K under Item 1.05 would not lead to the loss of eligibility to offer securities on Form S-3, nor would such a failure be deemed an automatic violation of the antifraud provisions of Rule 10b-5. Under the proposal, foreign private issuers not subject to reporting on Form 8-K would instead be required to furnish Form 6-K to report material cybersecurity incidents.
Disclosure about Cybersecurity Incidents in Periodic Reports
In order to balance the need for prompt and timely disclosure regarding material cybersecurity incidents with the fact that a company may not have complete information about a material cybersecurity incident at the time it determines the incident to be material, proposed Item 106(d)(1) of Regulation S-K would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in the company’s quarterly report on Form 10-Q or annual report on Form 10-K for the period in which the material change, addition, or update occurred. According to the SEC, proposed Item 106(d)(1) provides a means for investors to receive regular updates regarding the previously reported incident when and for so long as there are material changes, additions, or updates during a given reporting period. For example, the proposing release suggests that after filing the initial Form 8-K disclosure, a company may become aware of additional material information about the scope of the incident and whether any data was stolen or altered, in which case the proposed Item 106(d)(1) disclosure requirements would allow investors to stay informed of such developments. Proposed Item 106(d)(1) lists the following non-exclusive examples of the types of disclosures that should be provided, if applicable:
- Any material impact of the incident on the company’s operations and financial condition;
- Any potential material future impacts on the company’s operations and financial condition;
- Whether the company has remediated or is currently remediating the incident; and
- Any changes in the company’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
Additionally, the proposing release indicates that public companies would on an ongoing basis need to analyze related cybersecurity incidents for materiality, both individually and in the aggregate. Proposed Item 106(d)(2) would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. Item 106(d)(2) would require disclosure of when the incidents were discovered and whether they are ongoing; a brief description of the nature and scope of such incidents; whether any data was stolen or altered; the impact of such incidents on the registrant’s operations and the registrant’s actions; and whether the registrant has remediated or is currently remediating the incidents. The proposing release notes that while such incidents conceptually could take a variety of forms, one example requiring disclosure would be where one malicious actor engages in several smaller but continuous cyber-attacks related in time and form against the same company and collectively they are either quantitatively or qualitatively material, or both.
Disclosure Regarding Risk Management, Strategy and Governance
The proposed rules also amend Form 10-K to require disclosure around cybersecurity risk management, strategy, and governance, each as specified in Items 106(b) and 106(c) of Regulation S-K. Specifically, Proposed Item 106(b) would require public companies to disclose their policies and procedures, if any, to identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. As proposed, Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:
- The company has a cybersecurity risk assessment program (and if so, the company must provide a description of such program);
- The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
- Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition (and if so, how); and
- Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation (and if so, how).
Furthermore, proposed Item 106(c) would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risks and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Regarding the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:
- Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the company’s cybersecurity policies, procedures, and strategies. Under the proposal, this description would include, but not be limited to, the following information:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
- Whether the company has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
Disclosure Regarding Board Cybersecurity Expertise
The proposal would also amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure in Form 10-K or the proxy statement about the cybersecurity expertise of members of the board of directors. If any member of the board has cybersecurity expertise, the company would have to disclose the names of such directors, and provide such detail as necessary to fully describe the nature of the expertise. Proposed Item 407(j) would not define what constitutes “cybersecurity expertise,” given that such expertise may cover different experiences, skills, and tasks. Instead, it would include the following non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.
Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, for purposes of Section 11 of the Securities Act of 1933, as a result of being designated or identified as a director with expertise in cybersecurity.
Disclosure by Foreign Private Issuers
Because foreign private issuers are not subject to the same filing requirements as domestic issuers, the proposal would amend Form 20-F to require a foreign private issuer to include in its annual report on Form 20-F the same type of disclosure as would be required under proposed Items 106 and 407(j) of Regulation S-K. With respect to incident disclosure, when a foreign private issuer has previously reported an incident on Form 6-K, the proposed amendments would require an update regarding such incidents, consistent with proposed Item 106(d)(1) of Regulation S-K. The proposal also seeks to amend Form 20-F to require foreign private issuers to disclose on an annual basis information regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period, including a series of previously undisclosed individually immaterial cybersecurity incidents that has become material in the aggregate. Notably, Canadian foreign private issuers availing themselves of the multijurisdictional disclosure system would be excluded from the scope of the proposal and not be subject to prescriptive cybersecurity disclosure requirements on Form 40-F.
To enable automated extraction and analysis of the data required by the proposed rules, companies would be required to tag the information specified in the proposal using Inline XBRL. The SEC’s proposed rules are open for public comment until the later of May 9, 2022, or 30 days after publication of the proposal in the Federal Register.
- Partner
Scott brings in-depth knowledge of SEC policies, procedures and enforcement philosophy to each representation. Scott regularly advises clients across a broad sector of the economy facing sensitive reporting, compliance and ...
Search
Recent Posts
Categories
- Advertising & Marketing
- Bankruptcy
- Class Action
- Competition/Antitrust
- Consumer Protection
- Corporate Governance
- Environmental
- General
- Health Care
- Insurance
- IP
- Labor and Employment
- Mergers & Acquisitions
- Patent Infringement
- Patents
- Privacy & Cybersecurity
- Product Liability
- Real Estate
- Regulatory
- Regulatory
- Technology & E-Commerce
Tags
- 29 C.F.R. § 785.48
- 396-r
- 3D Printer
- 3D Printing
- A. Todd Brown
- A.S. Research (ASR)
- Aaron P. Simpson
- Advertisers
- Advertising
- Advertising Claims
- Advertising Idea
- Agency Guidance
- AI
- AI Interviewing Platforms
- Algorithmic Accountability Act
- Align
- Americans with Disabilities Act
- Americans with Disabilities Act (ADA)
- Andrea DeField
- Ann Marie Buerkle
- Annual Reports
- anti-aging
- Anti-Discrimination
- APEX Agreement
- Arbitration
- Arbitration Agreements
- Arizona
- Arkansas
- Arthritis
- Artificial Intelligence
- Artificial Intelligence (AI)
- Asbestos
- Assembly Bill 51 (AB 51)
- ATDS
- Australia
- Auto-renewals
- automatic telephone dialing system (ATDS)
- Automobile
- Automotive Body Parts Association (ABPA)
- Back to Work Emergency Ordinance
- biased endorsements
- Biden Administration
- Biometric Data
- Biometric Information
- Biometric Information Privacy Act (BIPA)
- BIPA
- Bitcoin
- Blockchain
- Board Diversity Disclosure
- Boards of Directors
- Bonuses
- Braille
- Branding
- Breach
- Breach of Contract
- Business Interruption Loss
- Businessowner’s Insurance
- California
- California Assembly Bill 2011
- California Employment Laws
- California Fair Employment and Housing Act
- California False Claims Act
- California Labor Code
- California Senate Bill 6
- California’s Unfair Competition Law
- CAMS
- Canada
- Cannabis
- CBD
- CBP
- CCPA
- Celebrity Endorsers
- Center for Disease Control (CDC)
- CFIUS
- CGL
- Chatbot
- Children’s Advertising
- Children’s Advertising Review Unit
- Children’s Online Privacy Protection Act (COPPA)
- China
- Christopher J. Dufek
- Christopher W. Hasbrouck
- Christy Kiely
- Class Action
- Class Actions
- Clawback
- Click-to-Cancel
- Climate Change
- clinical trials
- Collective Action
- Colorado
- Commercial General Liability
- Commercial Leasing
- Commodity Futures Trading Commission
- Compliance
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Data
- Consumer Financial Protection Bureau
- Consumer Fraud
- consumer loyalty program
- Consumer Product Safety Act
- Consumer Products
- Consumer Products Safety Commission (CPSC)
- Consumer Protection
- Consumer Review Fairness Act of 2016 (CRFA)
- Consumer Reviews
- Contamination
- Contract Law
- Controlled Substance Act
- Cookware
- COPPA
- Copyright
- Coronavirus/COVID-19
- Corp Fin
- Corporate Governance
- Corporate Reporting
- Corporate Sustainability
- Counterfeit Goods
- Counterfeit Goods Seizure Act of 2019
- CPRA
- CPSA
- CPSC
- Crack House Statute
- CRFA
- Cryptocurrency
- CSPA
- Cuba
- Currency
- Customs and Border Protection
- Cyber Coverage
- D&O
- D&O policies
- D. Andrew Quigley
- Damages
- Data Breach
- Davidson
- Deceptive Advertising
- DEI
- Delaware
- DEP
- Department of Justice
- Department of Labor
- Development Impact Fee
- Digital Assets
- digital currency
- Disclosures
- Distribution
- Division of Corporation Finance
- Dodd-Frank
- DOJ
- DOL
- Duty to Defend
- Duty to Indemnify
- e-liquid products
- Eddie Bauer
- EEOC
- Electric Vehicles
- Eleventh Circuit
- Emily Burkhardt Vicente
- Employee Rights
- Endorsement
- Endorsement Guides
- Endorsement Notice
- Endorsements
- endorser monitoring requirements
- Enforcement
- Environmental Protection Agency
- Environmental Protection Agency (EPA)
- EPA
- Epidemic
- ESG
- ESG Disclosure
- EU Regulation
- European Union
- European Unitary Patent
- EV Charging
- Exceptions
- Exclusions
- Exercise Machines
- Extended Producer Responsibility (EPR)
- FAA
- Fair Labor Standards Act
- Fair Labor Standards Act (FLSA)
- fair use
- False Advertising
- False Advertising Claims
- False Advertising Law
- False Claims Act
- Family Leave Policies
- FCC
- FCRA
- FDA
- Federal Arbitration Act (FAA)
- Federal Communications Commission
- Federal District Court
- Federal Trade Commission
- Federal Trade Commission (FTC)
- FFDCA
- FIFRA
- Fifth Circuit
- Final Rule
- Fireworks
- First Amendment
- Fixing America’s Surface Transportation (FAST) Act
- Florida
- Florida House of Representatives (HB 963) and Florida Senate (SB 1670)
- Florida Legislature
- FLSA
- FLSA/Wage & Hour
- food delivery
- Food Safety
- Form 10-K
- Formaldehyde Standards for Composite Wood Products Act of 2010
- fractional interests
- Franchise
- Frederic Chang
- Free Trials
- FTC
- FTC Act
- Gavin Newsom
- GDPR
- General Liability
- Geoffrey B. Fehling
- Georgia
- Gift Cards
- GoodRx
- Gramm-Leach-Bliley (GLB) Act
- Green
- Green Guides
- Greenhouse Gas
- Gun Safety
- Hart-Scott-Rodino
- Hart-Scott-Rodino (HSR)
- hashtag
- Hawaii
- Health Care
- Health Claims
- Hedge Fund
- HIPAA
- hoverboards
- human capital
- Human Rights
- Illinois
- Illinois Artificial Intelligence Video Interview Act (the Illinois Act)
- Illinois Biometric Information Privacy Act (BIPA)
- Indiana
- Influencer Marketing
- Infringement
- initial public offerings (IPOs)
- Injury
- Insurance
- Insurance Loss
- Insurance Provider
- Intellectual Property
- Intellectual Property Licenses in Bankruptcy Act
- Interest Rate
- International
- International Trade Commission
- International Trade Commission (ITC)
- INVISALIGN
- Iowa
- IP
- Ireland
- IT
- ITC
- iTERO
- Junk Fees
- Katherine Miller
- Kurt A. Powell
- Kurt G. Larkin
- Labeling Rules
- Labor
- Labor Code Private Attorneys General Act of 2004 (PAGA)
- Labor Organizing
- Labor Unions
- Land Use
- Landlord
- Latin America
- Lautenberg Act
- Lawsuit Reform Alliance of New York (LRANY)
- Lead
- Lease
- Legislation
- Leveraged Loans
- Liability Insurance Policy
- Liberty Insurance Corporation
- Liberty Mutual Fire Insurance Company
- LIBOR Discontinuation
- liquidity
- Litigation
- Live Chat
- Louisiana
- M&A
- Made in the USA
- Made in USA
- MagicSleeve
- Magnuson-Moss Warranty Act
- Magnuson-Moss Warranty Act (MMWA)
- Maine
- Malcolm C. Weiss
- Manufacturing
- Marketing Claims
- Maryland
- Massachusetts
- Matthew T. McLellan
- Maya M. Eckstein
- MD&A
- Medtail
- Membership cancellation
- Metaverse
- MeToo Movement
- Mexico
- Michael J. Mueller
- Michael S. Levine
- Minimum Wage
- Minnesota
- Minnesota Pollution Control Agency (MPCA)
- Misclassification
- Mislabeling
- Mission Product Holdings
- Missouri
- Mobile
- Mobile App
- Multi-Level Marketing Program (MLM)
- NAA
- NAD
- NASA
- National Advertising Division
- National Advertising Division (NAD)
- National Advertising Review Board
- National Products Inc.
- National Retail Federation
- Natural Disaster
- Nebraska
- Neil K. Gilman
- Network Outage
- Nevada
- New Jersey
- New York
- NHTSA
- NIL rights
- Ninth Circuit
- NLRA
- NLRB
- no-action request
- non-fungible token (NFT)
- North Carolina
- Obama Administration
- Occupational Safety and Health Administration (OSHA)
- Occurrence
- Office of Labor Standards Enforcement
- Ohio
- Oklahoma
- Online Cash Providers
- Online Retailer
- online reviews
- Opioids
- Oregon
- Overboarding
- Overtime
- Overtime Exemptions
- Ownership
- Packaging
- PAGA
- Pandemic
- Patent
- Patent Infringement
- Patents
- Paul T. Moura
- Pay Ratio
- pay-to-play rankings
- Penalty
- Pennsylvania
- Personal and Advertising Injury
- Personal Data
- Personal Information
- Personally Identifiable Information
- Pesticides
- PFAS
- Physical Loss or Damage
- Policy
- price gouging
- Privacy
- Privacy Guidelines
- Privacy Policy
- Privacy Protections
- Prohibition on Sale
- Property Insurance
- Property Rights
- Proposition 65
- Proxy Access
- proxy materials
- Proxy Statements
- Public Companies
- Purdue Pharma
- Randall S. Parks
- Ransomware
- real estate
- Recall
- Recalls
- Regulation
- Regulation S-K
- Restaurants
- Restrictive Covenants
- Retail
- Retail Development
- Retail Industry Leaders Association
- Retail Litigation Center
- Rounding
- Rulemaking
- Ryan A. Glasgow
- Sales Tax
- Scott H. Kimpel
- SD8 coins
- SEC
- SEC Disclosure
- Second Circuit
- Section 337
- Section 365
- Secure and Fair Enforcement Banking Act of 2019 (“SAFE Banking Act”)
- Securities
- Securities and Exchange Commission
- Securities and Exchange Commission (SEC)
- security checks
- Senate
- Senate Data Handling Report
- Sergio F. Oehninger
- Service Contract Act (SCA)
- Service Provider
- SHARE
- Shareholder
- Shareholder Proposals
- Slogan
- Smart Contracts
- Social Media
- Social Media Influencers
- Software
- South Carolina
- South Dakota
- Special purpose acquisition companies (SPACs)
- State Attorneys General
- Store Closures
- Subscription Services
- Substantiation
- Substantiation Notice
- Supplier
- Supply Chain
- Supply contracts
- Supreme Court
- Sustainability
- Syed S. Ahmad
- Synovia
- Targeted Advertising
- Tax
- TCCWNA
- TCPA
- Technology
- Telemarketing
- Telephone Consumer Protection Act
- Telephone Consumer Protection Act (TCPA)
- Tempnology LLC
- Tenant
- Tennessee
- Terms and Conditions
- Texas
- the Fair Credit Reporting Act (FCRA)
- Thomas R. Waskom
- Title VII
- tokenization
- tokens
- Toxic Chemicals
- Toxic Substances Control Act
- Toxic Substances Control Act (TSCA)
- Trade Dress
- Trademark
- Trademark Infringement
- Trademark Trial and Appeal Board (TTAB)
- TransUnion
- Travel
- Trump Administration
- TSCA
- TSCA Title VI
- U.S. Department of Justice
- U.S. Department of Labor
- U.S. Food and Drug Administration
- U.S. House of Representatives
- U.S. Patent and Trademark Office
- Umbrella Liability
- Union
- Union Organizing
- United Specialty Insurance Company
- Unmanned Aircraft
- Unruh Civil Rights Act
- UPSTO
- US Chamber of Commerce
- US Customs and Border Protection (CBP)
- US Environmental Protection Agency (EPA)
- US International Trade Commission (ITC)
- US Origin Claims
- US Patent and Trademark Office
- US Patent and Trademark Office (USPTO)
- US Supreme Court
- USDA
- USPTO
- Utah
- Varidesk
- Vermont
- Virginia
- volatile organic compound (VOC) emissions
- W. Jeffery Edwards
- Wage and Hour
- Walter J. Andrews
- Warranties
- Warranty
- Washington
- Washington DC
- Web Accessibility
- Weight Loss
- Wiretapping
- World Health Organization (WHO)
- Wyoming
- Year In Review
- Zoning Regulations
Authors
- Gary A. Abelev
- Alexander Abramenko
- Yaniel Abreu
- Syed S. Ahmad
- Nancy B. Beck, PhD, DABT
- Brandon Bell
- Fawaz A. Bham
- Michael J. “Jack” Bisceglia
- Jeremy S. Boczko
- Brian J. Bosworth
- Shannon S. Broome
- Samuel L. Brown
- Tyler P. Brown
- Melinda Brunger
- Jimmy Bui
- M. Brett Burns
- Olivia G. Bushman
- Matthew J. Calvert
- María Castellanos
- Grant H. Cokeley
- Abigail Contreras
- Alexandra B. Cunningham
- Merideth Snow Daly
- Javier De Luna
- Timothy G. Decker
- Andrea DeField
- John J. Delionado
- Stephen P. Demm
- Mayme Donohue
- Nicholas Drews
- Christopher J. Dufek
- Robert T. Dumbacher
- M. Kaylan Dunn
- Chloe Dupre
- Frederick R. Eames
- Maya M. Eckstein
- Tara L. Elgie
- Clare Ellis
- Latosha M. Ellis
- Juan C. Enjamio
- Kelly L. Faglioni
- Ozzie A. Farres
- Geoffrey B. Fehling
- Hannah Flint
- Erin F. Fonté
- Kevin E. Gaunt
- Andrew G. Geyer
- Armin Ghiam
- Neil K. Gilman
- Ryan A. Glasgow
- Tonya M. Gray
- Aidan Gross
- Elisabeth R. Gunther
- Steven M. Haas
- Kevin Hahm
- Jason W. Harbour
- Jeffrey L. Harvey
- Christopher W. Hasbrouck
- Eileen Henderson
- Gregory G. Hesse
- Kirk A. Hornbeck
- Rachel E. Hudgins
- Jamie Zysk Isani
- Nicole R. Johnson
- Roland M. Juarez
- Suzan Kern
- Jason J. Kim
- Scott H. Kimpel
- Andrew S. Koelz
- Leslie W. Kostyshak
- Perie Reiko Koyama
- Torsten M. Kracht
- Brad Kuntz
- Kurt G. Larkin
- Tyler S. Laughinghouse
- Matthew Z. Leopold
- Michael S. Levine
- Ashley Lewis
- Abigail M. Lyle
- Maeve Malik
- Phyllis H. Marcus
- Eric R. Markus
- Brandon Marvisi
- John Gary Maynard, III
- Aubrianna L. Mierow
- Gray Moeller
- Reilly C. Moore
- Michael D. Morfey
- Ann Marie Mortimer
- Michael J. Mueller
- J. Drei Munar
- Marcus E. Nelson
- Matthew Nigriny
- Justin F. Paget
- Christopher M. Pardo
- Randall S. Parks
- Katherine C. Pickens
- Gregory L. Porter
- Kurt A. Powell
- Robert T. Quackenboss
- D. Andrew Quigley
- Michael Reed
- Shawn Patrick Regan
- Jonathan D. Reichman
- Kelli Regan Rice
- Patrick L. Robson
- Amber M. Rogers
- Natalia San Juan
- Katherine P. Sandberg
- Arthur E. Schmalz
- Daniel G. Shanley
- Madison W. Sherrill
- Kevin V. Small
- J.R. Smith
- Bennett Sooy
- Daniel Stefany
- Katherine Tanzola
- Javaneh S. Tarter
- Jessica N. Vara
- Emily Burkhardt Vicente
- Mark R. Vowell
- Gregory R. Wall
- Thomas R. Waskom
- Malcolm C. Weiss
- Holly H. Williamson
- Samuel Wolff
- Steven L. Wood
- Jingyi “Alice” Yao
- Jessica G. Yeshman