Last week, the US Securities and Exchange Commission (SEC) voted 3-2 on a series of rules relating to cybersecurity disclosures, including a new requirement for public companies to publicly disclose “significant impacts” of cyber-attacks within four days. Public companies would be well-served to review the new requirements immediately to form a plan of action to address the newly approved rules.
The New Requirements – Current Reporting of Material Cybersecurity Incidents
Per the new requirements, public companies will have four business days to disclose a material cybersecurity incident with the SEC on Form 8-K. A material cybersecurity incident is any incident likely to have a “significant impact on the company’s business, financial condition, or operations.” Unlike other data breach notification requirements imposed at the federal or state level, this requirement sets the four-day notification window from determination of materiality, and not discovery of the incident. In other words, a company may discover it is the victim of malware one day but still require several days, or in some instances weeks, before determining that the malware incident has a significant impact on the company’s business, financial condition, or operations. However, a company may not unreasonably delay making a materiality determination.
The narrow disclosure window is intended to provide investors with timely information relating to cybersecurity incidents that may impact investment decisions. The SEC, identifying several financial risks posed by security incidents, intends for the requirements to further protect and empower investors. Accordingly, cybersecurity disclosures required to be reported on Form 8-K within the four-day window will need to specify the following:
- nature, scope, and timing of the security incident; and
- material impact, or reasonably likely material impact, of the security incident on the company, including its financial condition and results of operations.
Guidance for Delays in Reporting Material Cybersecurity Incidents
Notification delays are possible, but only if revealing information about a cybersecurity incident would pose a “significant risk to national security or public safety.” This risk of harm analysis is not based on the company’s determination, but instead the determination of the United States Attorney General. The new disclosure requirements contemplate delays of up to only 120 days, but permit the SEC to extend relief by exemptive order if deemed necessary by the Attorney General. Accordingly, companies may decide to involve federal law enforcement early in efforts to investigate cybersecurity incidents and maintain communications with the Department of Justice in order to potentially obtain a permissible delay in notice to the public.
Ransomware attacks may present unique challenges in light of the new disclosure rule. Although every cybersecurity incident is different, many ransomware attacks present an immediately ascertainable impact on operations. Companies choosing to negotiate with ransomware threat actors typically try to downplay the impact of an attack to gain leverage in negotiations, but such ploys may be undermined by public filings describing the “material” impact to investors. Accordingly, companies will need to review the terms of third-party risk management programs to ensure rapid awareness of security incidents by management and make informed decisions about ransomware response.
Updates May be Required
In the event that certain information is not available or determined at the time of the initial public notice of a material cybersecurity incident, but subsequently becomes available or determined, an amendment to the notice must be made within four days.
No Impact on Eligibility to Use Short-Form Registration Statements
Certain companies are eligible to use short-form registration statements on Form S-3 for registration of securities, subject to being timely in their SEC reports. The new rules clearly state that the failure to timely report cybersecurity incidents will not impact Form S-3 eligibility.
The New Requirements – Annual Reporting of Risk Management, Strategy and Governance
The SEC’s new cybersecurity rules also add two new categories of disclosures for public companies to include in their annual reports on Form 10-K filed with the SEC.
The first category of new annual disclosures covers processes for assessing, identifying, and managing cybersecurity risks, including:
- whether any processes have been integrated into the company’s overall risk management system or processes and if so, how they have been integrated;
- whether the company engages assessors, consultants, auditors, or other third parties in connection with its processes; and
- whether the company has processes to oversee and identify cybersecurity risks or threats in connection with its use of third-party service providers.
Additionally, companies must describe whether and how any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect strategy, results or operations, and financial condition. The second category of new annual disclosures covers board and management oversight. Companies will need to disclose the board’s role in overseeing cybersecurity risk, whether any committees or subcommittees have been designated with this responsibility, and how they are informed of risks. Companies will also need to disclose management’s role in the assessment and management of cybersecurity risks, including:
- the managers or committees who are responsible for the assessment and management of cybersecurity risks, and their relevant expertise described in detail;
- the processes by which managers or committees are informed of and monitor prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- whether managers or committees report their findings to the board or a committee or subcommittee of the board.
Impact on Public Companies
Although the SEC has issued guidance on cybersecurity dating back to 2011, the new cybersecurity requirements signal an inclination by the SEC to mandate more uniform disclosures and scrutinize responses to cybersecurity incidents and data breaches. Failure to follow the new requirements may result in SEC enforcement actions, investor lawsuits, and reputational damage to the company. As a result, boards of directors should begin preparing for the disclosure rules today by taking the following steps:
- Board Expertise: Directors should begin establishing a degree of both specialized expertise and basic literacy with respect to cybersecurity and data governance. Board orientations and briefings from trusted third-party experts may be helpful to develop a basic understanding for all directors, but the rules require disclosure of more in-depth expertise. Boards may meet this threshold requirement by seeking directors with cybersecurity and data governance experience, as well as highlight relevant cyber experience in the biographies of current directors.
- Committee Development: In terms of assessing and managing cybersecurity risk, boards will benefit from developing a specific committee to manage cybersecurity oversight. Such committees should be staffed with members who have expertise in cybersecurity and will be well-suited to ask relevant questions for their technical and operational counterparts.
- Development and Refinement of Policies and Procedures: Companies should have several policies and documented procedures relating to cybersecurity, and those documents should be regularly reviewed and updated (at least annually). Although tempting to purchase off-the-shelf templates, regulators often scrutinize enacted policies to ensure they make sense for a company’s information processing activities, and are appropriately scalable for the size and sophistication of the organization. Companies should collaborate with legal counsel and cybersecurity professionals to develop policies keyed into data classification, data mapping, information security, data governance, and incident response. Indeed, because of the tight four-day window for notification, incident response plans will likely be heavily scrutinized by regulators to confirm no undue delay between discovery of an incident and determination of materiality.
Other than smaller reporting companies, public companies must comply with current reporting of material cybersecurity incidents starting 90 days after the date of publication for the final rules in the Federal Register or December 18, 2023, whichever date is later. Smaller reporting companies have an additional 180 days to begin complying with the reporting rules, on the later date of 270 days from the rules’ effective date or June 15, 2024. All companies must include the cybersecurity risk management, strategy, and governance disclosures in annual reports for fiscal years ending on or after December 15, 2023.
Bottom Line: Transparency and Accountability
Although headlines surrounding the SEC cybersecurity rules emphasize the four-day reporting window, companies should understand that the rule package is designed to transform how public companies approach cybersecurity. Because the rules require disclosure relating to assessment and management of threats, companies will likely experience market pressure to adopt, maintain, and describe risk-based management programs. Executives and boards of directors will also be expected to understand cybersecurity risks and management as part of oversight responsibilities. Finally, companies will be expected to adopt processes as part of incident response planning to determine and describe materiality of any cybersecurity incident (not just those that are publicly disclosed). With this in mind, companies have very little time to begin fortifying their cybersecurity and data governance programs.
If you have questions surrounding the new cybersecurity requirements for public companies, reach out to a member of Taft’s Privacy and Data Security Practice. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.