In July, the SEC adopted a final rule requiring the disclosure of material cybersecurity incidents and cyber risk management, strategy and governance by public companies, including foreign private issuers. The new rule requires public companies to disclose any material cybersecurity incidents within four business days of determination. Additionally, the final rule requires companies to disclose if they have a cybersecurity risk assessment program – and to describe how they assess, identify and manage material risks from cybersecurity threats.
The overarching goal of the regulation is to provide consistent, comparable and decision-useful cybersecurity information for investors, companies and connecting markets. However, the new ruling creates complex challenges and potential liabilities, underscoring the importance that businesses develop risk mitigation strategies to meet the requirements in partnership with their cyber insurers.
It’s important to note that many non-U.S. based companies will also have to substantively comply with the final ruling since it requires foreign private issuers to make comparable information disclosures as U.S.-based publicly traded companies. Additionally, regulations with similar objectives exist elsewhere in the world, albeit with many dissimilarities, creating additional regulatory complexities for global businesses.
Below, we break down three ways for global businesses to manage the risk implications of the SEC cybersecurity disclosure rule.
Determining compliance challenges
With this new rule, the SEC is putting the responsibility on public companies to give investors accurate and valuable information about how they manage their cyber risks. That said, regulatory compliance could become a challenge when navigating the subjective nature of what constitutes a material cyber incident. Between the public nature of disclosing the incident and the intricacies of determining the extent of breach-related information to provide regulators and shareholders, the situation could become quite tricky to navigate. Some experts think that the public disclosures mandated under the final rule could unexpectedly create more risk to the disclosing companies. To limit such consequences, organizations must be careful not to reveal too much about their cyber risk management and preparedness, yet still abide by the regulation’s information disclosure timetable. In the aftermath of a cybersecurity incident, a company is likely to be deeply focused on determining the cause of the attack, the extent of the business disruption, and the most effective measures to restore services. Adding a determination of whether the incident is material in a four-day timeframe complicates these crucial activities. If too much context is provided on the incident and the organization’s multifaceted response, additional threat actors are potentially armed to launch follow-up attacks; if not enough context is provided, the organization risks noncompliance with the SEC’s reporting mandate. Companies are in a tough spot either way.
Understanding potential liability
When the legal duties of making accurate public disclosures are murky, shareholder attorneys take notice. Aware of the swift decision making needed to fully disclose the nature and scope of a material cyber incident within a short timeframe, attorneys may argue in hindsight that a company made material misstatements and omissions with the intent of misleading investors. Shareholder attorneys might act quickly in trying to figure out if there is an opportunity to file a class action lawsuit. For example, they may challenge the accuracy of disclosed information regarding cybersecurity risk management and governance, arguing that management made material misrepresentations about the nature and magnitude of a data breach. A related possibility is a breach of fiduciary duty lawsuit filed against board members legally obligated to act in the interests of shareholders and failing to do so. These potential liability exposures require scrutiny by risk managers of an organization’s cyber insurance policies and D&O (directors and officers) liability insurance coverages to ensure proper limits and coverages.
How an organization engages with regulators within the first 72 hours of a cyber incident will inevitably have an impact on the rest of the investigation, highlighting the value that breach response partners deliver. There are many services that cyber insurers and their partnering data protection law firms can provide, including the assignment of an attorney to provide counsel on each specific cyber incident, assistance in determining whether a breach is material, and the actual crafting of the public disclosure filing. Other consultative services include partnering with an organization’s Chief Information Security Officers and InfoSec teams and the provision of a D&O coach for board members and senior executives to better understand and prepare for potential liability emanating from a failure to disclose material shareholder information.
Revising incident response plans
Experts advise global businesses to structure a set of internal processes to meet the potential of multiple regulatory deadlines and content requirements, in conjunction with their cyber insurers. With any cyber incident, you don’t exactly know what has happened immediately, especially if it’s the first significant breach. To provide accurate information to regulators, it’s important that global companies partner with their cyber insurer to include the differences in the regulatory reporting timeframes in their incident response plan. Many cyber insurance leaders emphasize the value of carefully determining and then systematizing the processes by which the organization will disclose material information in the four-day reporting timetable. It’s extremely important to document and incorporate these processes into the cyber incident response plan, and then regularly test them in the operating regions where such timetables exist. Companies are often too closely involved in building their incident response plan to look at the situation holistically. Cyber insurers can partner with companies to develop a plan that considers the critical processes needed to address the different disclosure deadlines and other compliance mandates, based on their vast experience.
As companies across the world have moved from analyzing the initial cybersecurity proposal to acting on the rule’s complicated compliance obligations, the ultimate goal should be for businesses to employ a comprehensive, clearly articulated, refreshed and tested cyber incident response plan that covers its risks – and adheres to the new regulation – adequately.