They’re here. No, not poltergeists. Just the Securities and Exchange Commission’s new cyber disclosure rules. While implementing them will be challenging, and new, serious risks will emerge, the rules are now final and public companies will have to deal with them.
The SEC’s proposed and final cyber disclosure rules are animated by the SEC’s belief that investors need a lot more information about cyber risks and cyber breaches than what they have been getting.
It’s worth reading the final rules release, which is well written. While many of us will not agree with the SEC’s reasoning in all cases, it’s very helpful that the SEC articulated its thinking so clearly.
In a piece of good news, the SEC took some suggestions on its new cyber disclosure rules from the more than 150 comment letters it received.
Nevertheless, the final rules remain a serious and prescriptive expansion of the prior disclosure regimes. Numerous law firms have published excellent memoranda that detail the new rules, including Cooley, Fenwick, Gibson, Goodwin, Jenner, Skadden, and Wilson Sonsini.
Details are important. This article, however, will focus on framing the big-picture items that public company directors and officers (including of foreign filers) need to understand to manage and oversee the new disclosure requirements.
I will also discuss D&O liability risk concerns and steps to take to mitigate these risks.
The SEC’s New Cyber Disclosure Rules
The SEC’s new cyber rules fall broadly into three disclosure categories:
- Risk Management and Strategy
- Incident Reporting
Without a doubt, the last category, incident reporting, is the most challenging when it comes to balancing good disclosure with D&O litigation concerns.
Risk Management Strategy
The new rules stop short of asking companies to disclose specific details of their plans to thwart cyber incidents lest doing so provide a map for bad actors.
Instead, the SEC believes investors need to understand processes “for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”
The SEC asserts that the rule is not prescriptive as to what specific processes a company should have: There is a materiality qualifier and the SEC elected not to include a list of enumerated categories (e.g., privacy law violations, intellectual property theft, etc.). Rather, its intention is for the disclosure to match the company’s view of its own material risks.
The SEC, however, did include a non-exclusive list of required disclosure items and uses the fig leaf of disclosure to pretend it is not being prescriptive about processes. For example, the SEC now requires that companies describe “whether and how”:
- Cyber risk management has been integrated into the rest of a company’s risk management process
- The company has processes to oversee and identify cyber risks stemming from its use of third-party providers
- The company relies on third parties in connection with any of its relevant processes.
No company would say “No, we are not doing any of these things,” thus effectively making at least the first two bullets essentially mandatory for public companies.
The SEC has also adopted a “have you learned your lesson” disclosure requirement: Companies must now disclose whether and how they have been materially affected (e.g., in its business strategy, results of operations, financial condition, or otherwise) by cyber risks, including previous cybersecurity incidents.
Note: This disclosure is clearly intended to include a company’s own cybersecurity incidents. It could be read, however, as asking for disclosure about whether cyber incidents that impacted other companies have materiality affected one’s own company.
The new rules ask for two levels of governance disclosure: board oversight of cyber risk and management’s role in “assessing and managing” material cyber risks.
Board oversight: Concerning board disclosure, in a piece of good news, the SEC was persuaded not to require that companies disclose the cyber expertise of specific board members:
We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.
The SEC also observed that board cyber expertise may not be material for all companies. However, there is no doubt that some companies will choose to disclose this expertise.
Boards will have to describe their oversight of cyber threats, including whether the laboring oar for overseeing this risk is held by the full board or a committee of the board.
In addition, the SEC now requires that boards disclose the process by which it informs itself (or the relevant committee) of cyber threats.
Management’s role: The required disclosure of management’s role when it comes to assessing and managing material cyber risk is more extensive. The SEC believes investors need to know which particular officers or committees are doing the work, and the cyber expertise of those parties.
Required disclosure now also includes how (the process) those charged with assessing and managing cyber risk “are informed about and monitor the prevention, detection, mitigation and remediation” of cyber incidents.
Finally, companies must disclose whether these risks are reported to the full board or a committee of the board.
When it comes to the initial reporting of a cybersecurity incident, the SEC has, helpfully, largely aligned its new rules with normal Form 8-K (Form 6-K for foreign filers) filing for material updates.
Specifically, the new rule is that a company must disclose cybersecurity incidents by filing an Item 1.05 Form 8-K within four business days of determining that the incident was material.
Mindful of the games some might consider playing, the SEC requires that materiality determinations must be made “without unreasonable delay” and provides some examples of what it would consider unreasonable.
For example, intentionally delaying the normal cadence of the meeting of the committee that determines materiality or changing existing incident response policies to add time to the process would “constitute an unreasonable delay.”
What about situations in which the SEC’s new rules on incident reporting seem to conflict with the requirements of other government agencies? The SEC addressed this with a response that can be summarized as: not our monkey, not our circus. More specifically, the SEC notes that:
It would not be practical to further harmonize Item 1.05 with other agencies’ cybersecurity incident reporting regulations . . . because Item 1.05 serves a different purpose—it is focused on the needs of investors, rather than the needs of regulatory agencies, affected individuals, or the like.
What about situations in which disclosure of a cyber incident would harm the public? The SEC will allow for a delayed filing if the Attorney General “determines that the disclosure poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”
The SEC is wildly unsympathetic to the requirements of other governmental agencies, noting that:
With respect to commenters who recommended that other Federal agencies and non-Federal law enforcement agencies also be permitted to trigger a delay or who argued that other agencies may be the primary organization in the Federal government for the response, we note that the rule does not preclude any such agency from requesting that the Attorney General determine that the disclosure poses a substantial risk to national security or public safety and communicate that determination to the Commission.
Let’s all hope the AG isn’t having a busy week at the time such a determination—and writing to the SEC—may be required.
Commissioner Hester Pierce articulates the problem with the SEC’s cavalier approach to security issues and public safety well in her statement about the final rules:
Obtaining approval within four days will be quite a feat . . . Even if the issuer succeeds, it only gets a thirty-day reprieve from disclosing the incident. The rule makes extensions difficult beyond the initial thirty days. The release dismisses other potential conflicts between the SEC’s new 8-K regime and other state and federal laws by assuming SEC rules take precedence . . . . While the Commission’s responsibility is to ensure that investors receive timely, material information, it sometimes has to defer to other government agencies with overarching mandates to protect national security, public safety, and critical infrastructure.
The SEC does recognize that a company may not have full information about a cyber incident within four days of determining that it is material.
The SEC wants the first Form 8-K to include a description of the incident, including the timing, and the reasonably likely material impact on the company. As more information becomes available, companies will be required to amend the original Form 8-K.
Remember, too, that this disclosure is required whether the cyber incident took place on the company’s own systems or on the systems of a third party.
Finally, throwing seasoned issuers a bone, the SEC’s final rules provide that the untimely filing of a Form 8-K to report a cyber incident will not result in the loss of Form S-3 eligibility. Another bone is the addition of Form 8-K cyber incident disclosures to the limited (limited!) safe harbor from the Exchange Act’s antifraud provisions.
Risk for Directors, Officers, and the Companies They Serve
The new rules will take a while to absorb—but unfortunately, time is in short supply. The rules become effective on September 5, 2023.
While smaller reporting companies (SRCs) will have longer, most companies will have to comply with the cyber incident reporting rules starting on December 18, 2023 (SRCs have until June 15, 2024). Governance and risk management disclosures will be required to be included in a company’s next filed annual report for fiscal years ending on or after December 15, 2023. For calendar year-end companies, this means the very next Form 10-K (Form 20-F for foreign filers).
Moreover, liability concerns are real. The SEC has the ability to bring enforcement actions against any public company (not to mention that issuer’s officers and directors) if it perceives the company is not complying with its disclosure obligations.
This was, of course, true even before the final rules. See, for example, the Wells notice issued by the SEC to some of SolarWinds’ former and current executives.
In addition, we should expect that the plaintiffs’ bar will scour incident disclosures for opportunities to use their 20/20 hindsight to claim that companies intentionally made material misstatements and omissions for the purpose of misleading investors.
We should also expect that they will attempt to challenge the veracity of the risk management and governance disclosures any company has made before a cyber breach, be it through a securities suit or a breach of fiduciary duty suit.
10 Steps to Reduce Your Liability
To handle these risks, the following are some considerations for general counsel and boards. Some of these are drawn from my article about the proposed SEC rules while others are new, given the contours of the final rules.
- Assess, and if needed, bolster, your cyber risk management strategy. A good way to assess whether you need to bolster your current strategy is to start to draft the required disclosure. If that exercise leaves you unimpressed with yourself, you know you have work to do.
- Consider whether you need to hire additional in-house cyber expertise or third-party consultants. If the answer is yes, start this process sooner rather than later. The hiring pool for in-house positions may be limited, and the capacity of consultants may be increasingly limited as the year progresses and more companies realize they need more support.
- Have the board’s nominating and governance committee determine whether adding a cybersecurity expert to the board is in shareholders’ best interest. The final rules do not require companies to disclose specific cybersecurity expertise per se. However, given the ubiquity of cyber threats, more companies over time may determine this is, in fact, an important skill to have on their board. The best board members take time to find.
- Assess the board’s cyber oversight process. If your board hasn’t formalized whether a committee or the full board oversees cyber risk, now is the time. It’s also worth making sure everyone is on the same page for the cadence and manner with which management reports cyber risks and incidents to the board.
- Determine whether you need to bolster the efficiency of your disclosure committee and any other materiality-determining processes. The SEC will, no doubt, be looking to bring an enforcement action against companies that unreasonably delay their materiality determination after a cyber incident. Take the time to review and, where necessary, improve your internal processes so that you don’t later have to argue that you were merely incompetent and not intentionally engaging in delaying tactics.
- Review how your company thinks about materiality and cyber breaches. This includes, but is not limited to, an assessment of the financial impact of potential breaches. In addition to coming up with a draft framework to assess financial impact, consider other types of material harm as well.
For example, the SEC in its final rules release noted that “an incident that results in significant harm to a registrant may not be readily quantifiable . . . but it should nonetheless be reported if the harm is material.” Another example provided by the SEC is the theft of information that might not be financially significant but could harm customers or other individuals.
- Consider who will be your outside counsel to advise you should you suffer a cyber incident. The new Item 1.05 Form 8-K requirements are tricky. This is not the time to engage in self-dentistry. Determine ahead of time which outside law firm you will turn to if you need disclosure help and stay in touch with them. You might also take this a step further and update your cyber response plan more broadly (ensuring, of course, that the 8-K drafting process is part of the playbook).
- Diligence your cyber insurance. Some companies may go through all the steps outlined above and determine that they need less cyber insurance because they “feel” more secure. Others will want more because they are more aware of their risks. Neither on its own is a particularly good way to select limits of insurance. Instead, consider taking an analytical approach to scoping your risk and buy insurance limits appropriately.
- Diligence your cyber insurance broker. A robust cyber insurance underwriting process includes an effort by insurance underwriters to determine precisely some of the information the SEC wants disclosed. This includes things like your company’s cyber risk management process and the board’s role in cyber risk oversight.
Make sure your insurance broker is leveraging the work you are doing to represent you well when negotiating the pricing and contract terms of your insurance. At a minimum, you do not want to have told your cyber insurance underwriters about processes that somehow differ from the processes you describe in your SEC filings.
In addition, your cyber insurance renewal process may well be a source of useful information about the process that your general counsel needs to gather to comply with the new disclosure rules. For example, as noted above, the insurance purchasing process should include analytics about the potential financial impact of a cyber breach.
- Inform your board about how D&O and cyber insurance are being used to transfer risk away from the company. Many boards want to have an annual briefing about their D&O insurance. The new rules are likely to prompt many boards to also ask for a briefing about their cyber insurance. If you’re not confident in your broker’s ability to present to your board, including answering questions about the intersection of D&O and cyber liability issues, you are with the wrong broker.
Related Blog Posts
Stockholders sued SolarWinds corporate directors after a cyber catastrophe, alleging they failed to adequately oversee cyber risk.
Woodruff Sawyer’s Mid-Year D&O Databox Report looks at the state of securities class actions against public companies for the first half of the year.