Last month, the Securities and Exchange Commission (SEC) announced new requirements that public companies disclose material cybersecurity risks more quickly and in greater detail in addition to proactively disclosing details regarding their cybersecurity risk management practices. The rule makes clear that the SEC expects public companies to prioritize cybersecurity — and, like any new requirement, creates risks that organizations must carefully consider and be prepared to manage.
Reporting material cybersecurity incidents
On July 26, the SEC finalized its rule on public company cybersecurity risk management (opens a new window), governance, and incident reporting. Under the new rule, initially proposed in March 2022 (opens a new window), companies listed on U.S. exchanges are required to disclose to investors any material cybersecurity incidents, including providing information about the nature, scope, timing and material impact or likelihood of material impact of those incidents.
A registrant is required to make such a disclosure within four days of a determination of materiality, unless the U.S. attorney general has determined — in writing — that disclosure would pose substantial risk to national security or public safety. A materiality determination is to be made “without unreasonable delay.”
The rule also requires registrants to:
Describe in quarterly and annual earnings statements their cyber risk management practices, including policies to assess, identify, and manage material risks. Where applicable, registrants are also required to disclose how these policies are integrated into their organizations’ overall risk management functions, any third parties that are engaged in connection with said policies, and any processes they have in place to audit third-party vendors that provide cybersecurity risk management services.
Disclose any risk, including previous cybersecurity incidents that have materially affected or reasonably likely to affect them.
Describe their boards’ processes for oversight of cybersecurity risk and the processes by which boards are informed of such risks, including management’s role in assessing and managing cyber risks. Organizations, however, are not required to disclose cybersecurity expertise represented on their boards.
The rule also requires foreign private issuers to make similar disclosures.
Managing cyber risk more effectively
The new requirements will begin to take effect in December 2023, with smaller companies having until June 2024 to begin compliance. The rule highlights the importance that all public companies have robust cybersecurity risk management frameworks in place. In light of the new SEC rule, companies should consider implementing the following cyber risk mitigation processes:
1. Incident response and business continuity planning. Organizations shouldreview and revise existing incident response and business continuity plans and account for timing and disclosure requirements. If they do not already have such plans in place, now would be a good time to create them. Testing of these plans — whether they are newly created or simply updated in light of the new SEC rule — is essential.
2.Security posture analysis. Organizations should:
a. Review their data handling practices and revise them to ensure best-in-class data handling protocols.
b. Review and evaluate third-party vendor management programs, including conducting vendor risk assessments.
c. Establish good cyber hygiene practices, including regular monitoring of security controls as well as planning and budgeting for information security improvements.
3. Governance policies. Organizations should evaluate existing policies regarding cybersecurity risk management and their oversight of the matter. And even though there is no requirement under the new rule that cybersecurity expertise be represented on boards, public companies should consider if such expertise is needed to support their evaluations and governance.
Additional public company risk considerations
In addition to taking steps to better manage cybersecurity risks and comply with the new SEC rule, public companies should also be mindful of the possibility of both shareholder litigation and SEC investigations and proceedings in the event they fail to comply.
Compliance may be a challenge for some companies, which may not yet be in a position by December to, among other things, describe their processes for identifying and managing cybersecurity threats.
Litigation could also arise against companies that find it difficult to meet the short four-day deadline for reporting incidents following the determination of their materiality. Even if an incident is deemed material and reported within four days, it could prove challenging for companies to provide the required details or make statements that later prove to be incomplete or inaccurate. —
In addition, litigation could include allegations of misstatements regarding:
Companies’ processes for assessing, identifying and managing material risks from cybersecurity threats.
Boards’ oversight of cyber-related risks and management’s role and expertise in assessing and managing material risks from cyber threats.
Both shareholder litigation and SEC actions could be costly to companies and individual board members. Shareholders appear more eager than ever to find reasons to file lawsuits alleging corporate mismanagement and breaches of fiduciary duties in the wake of any adverse event — especially if a company’s stock price is affected. The SEC has also been especially aggressive as of late.
A coordinated approach
In light of the new requirements, it’s vital that public companies work with legal, technical and insurance advisors to understand their potential exposures and build frameworks to comply with the SEC’s requirements.
To the extent public companies are looking to transfer risk to insurance policies, they should ensure that those policies — including cyber and directors and officers liability (D&O) insurance and possibly other forms of coverage — are well-coordinated. They should also work with their insurance advisors to ensure they have sufficient limits and that policy language meets their coverage expectations.