On July 26, the Securities and Exchange Commission (“SEC”) adopted final rules demanding new cybersecurity requirements for all public companies. These new rules stem from a March 2022 proposal that—in the SEC’s view—attempts to correct for underreporting (and late reporting) of material cybersecurity incidents. The SEC’s proposal underwent public comment, and last month, the SEC announced a delay in issuing the final rules. Chair Gary Gensler indicated that the final rules should aid in transparency, consistency, and promptness in providing information to the public about cybersecurity.
While these are significant changes to public company disclosure rules, substantively the final rules largely implement informal guidance issued by the SEC in 2011 and 2018 describing how the SEC’s general disclosure requirements apply to cybersecurity incidents and risks. Specifically, the new rules require:
- Public disclosure of cybersecurity incidents within four business days of determining that a material incident has occurred;
- Periodic disclosure of the company’s policies and procedures to identify and manage cybersecurity risks;
- A description of management’s role in addressing the same; and
- A description of the board of directors’ role in oversight of cybersecurity risk and management’s role and expertise in assessing material risks.
The final rule includes several changes from the proposed rule issued last year while retaining the four business day reporting obligation.
First, the SEC narrowed the amount of information required to be disclosed about a cyber incident in recognition that its proposed disclosure requirements might prove burdensome to a company that was in the midst of managing an ongoing incident (and could exacerbate the incident by revealing material that could undermine sensitive containment and remediation efforts). The initial proposal would have required companies to disclose: when the incident was discovered and whether it is ongoing; a brief description of the nature and scope of the incident; whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; the effect of the incident on the registrant’s operations; and whether the registrant has remediated or is currently remediating the incident. The final rules are more straightforward—though perhaps more open to interpretation—requiring the registrant to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
Second, the SEC will allow companies to delay public notification of material cyber incidents if the U.S. Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. While working with law enforcement is often advantageous to victims of ongoing cyber incidents, it is doubtful that a company could report an incident to the FBI, obtain assistance in managing the incident, and receive a prompt formal determination from the Attorney General. In practice, this limited exception will likely be satisfied only when the U.S. government discloses an ongoing incident to the company in the first place. It is also noteworthy that the Attorney General is the only source of this extension, cutting out other agencies, such as CISA, that are frequently involved in assisting during a cyber incident. The SEC acknowledges, however, that the Attorney General may consider other federal or law enforcement agency findings.
And third, the final rule does not include the proposal to require companies to disclose immaterial cyber incidents that, when considered together, become material. The SEC’s proposal would have required disclosures where “a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.” This proposal may have proven impossible to implement, as immaterial incidents occur in significant numbers, are difficult to track, and are tremendously varied in scope and impact, making it challenging to decide when the totality of such incidents has become material.
The new rules take effect 30 days after publication in the Federal Register. In order to comply, companies should:
- Review incident response plans and playbooks to address SEC requirements, and consider adding an SEC compliance checklist to your Incident Response Plan.
- Assess escalation policies within the company – Will the right people be informed to facilitate timely decision-making?
- Update the roster for incident response, including insurance contacts and preferred vendors.
- Consult with securities counsel on how to make game-day materiality determinations. The final rules do provide some commentary regarding materiality determinations, but no precise prescriptive guidance.
- Plan crisis communications, including templates, to avoid selective disclosures and misstatements.
ZwillGen’s experienced team of cybersecurity attorneys can help companies with updating plans and procedures, coordinating with securities counsel, and managing many aspects of incident response.
