Data Security

SEC Delays Rulemaking on Timely Public Security Incident Breach Notification and Other Cybersecurity Considerations

Published: Jun. 28, 2023

The SEC recently announced a delay in the anticipated release of a new regulation that would require public companies to file a Form 8-K regarding material cybersecurity incidents within four days of discovering the incident. The SEC published the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure regulation (“Cybersecurity Rule”) in the Federal Register for notice and comment on March 23, 2022. The Cybersecurity Rule would amend or add to Regulations S-K and S-T, the Securities Act, and the Exchange Act. The draft Cybersecurity Rule proposed to require, among other things:

  • more timely public disclosure of cybersecurity incidents,
  • periodic disclosure of the company’s policies and procedures to identify and manage cybersecurity risks,
  • a description of management’s role in addressing the same, and
  • a description of the board of directors’ cybersecurity qualifications and expertise, and its role in oversight of cybersecurity risk.

The publication led to two rounds of notice and comment where more than 160 individuals, organizations, and companies provided feedback. Some commentators favored the perceived increased transparency and uniformity the Cybersecurity Rule would impose. Others noted the difficulty in providing timely, accurate public disclosure so soon in the incident response process. For example, Rapid7 stated that the SEC should permit an exception to the Cybersecurity Rule for “uncontained or unmitigated incidents” under certain conditions. Rapid7 also advocated for public disclosure “as soon as practicable after discovery” and called for a requirement to file a Form 8-K four days after the materiality determination under normal circumstances. Other commentators argued for additional time to report in the ordinary course. Nasdaq summarized industry concerns by noting that, if adopted, the Cybersecurity Rule (1) may interfere with a public company’s primary obligation to remediate a cybersecurity intrusion, and (2) would allow companies an exceptionally short time in which to understand the nature and scope of a cybersecurity breach, as well as its potential impact. The SEC now expects to release the final Cybersecurity Rule in October 2023. We will provide an analysis when the SEC releases the final Cybersecurity Rule.

Until then, here are some steps companies can take now to prepare:

  • Review incident response plans and playbooks to manage SEC requirements, and consider adding an SEC compliance checklist to your Incident Response Plan.
  • Assess escalation policies within the company – Will the right people be informed to facilitate timely decision-making?
  • Update the roster for incident response, including insurance contacts and preferred vendors.
  • Consult with securities counsel on how to make game-day materiality determinations.
  • Plan crisis communications, including templates, to avoid selective disclosures and misstatements.