The Securities and Exchange Commission’s (“SEC”) proposed rules involving cybersecurity incident reporting requirements remains open for comment. Originally reopened in early October for at least two weeks in response to a technical issue around previous comment collection, the ability to submit comments on the relevant proposals remains open and the SEC continues to receive feedback that may lead to adjustments to the original rules.
For background, in March 2022 the SEC proposed rules outlining cybersecurity reporting requirements for public companies subject to the Securities Exchange Act of 1934 and proposed cybersecurity rules and reporting obligations applicable to registered investment advisers and investment companies. Both rules, proposed on the heels of increased industry-specific SEC cybersecurity compliance enforcement, require covered organizations to report certain cybersecurity incidents within newly established timelines, amongst other obligations outlined below.
Cybersecurity Risk Management, Strategy, Governance, and Incident Reporting for Public Companies
The proposed rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Public Company Cybersecurity Proposed Rules”) would impose an obligation on public companies to report cybersecurity incidents within four (4) business days after the determination that a material incident occurred.
Public Company Cybersecurity Proposed Requirements
In application, the new rule would require public companies to:
- Disclose, on Form 8-K, cybersecurity incidents within four (4) business days after determining a material cybersecurity incident occurred.
- Provide updates regarding previously disclosed cybersecurity incidents and disclose whenever a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.
- Disclose policies and procedures, if any, for identifying and managing cybersecurity risks, cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks, and management’s role and relevant expertise in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.
- Disclose if any member of the public company’s board of directors has cybersecurity expertise.
The SEC’s proposed rule differs from existing obligations, in particular, state data breach notification obligations, in that the rule is triggered when a public company determines that a cybersecurity incident is material rather than when the incident is discovered or begins. Following securities law precedent in TSC Indus. v. Northway, the proposed rule clarifies that an incident would be considered ‘material' when “there is a substantial likelihood that a reasonable shareholder would consider it important,” which in the face of a potential incident, is recognized as a fact-intensive analysis depending on the specific context whether tied to operational impact, unauthorized activity, or other factors.
Similar to existing requirements under state law for the disclosure of personally identifiable information, in the event of a material incident, the proposed rule would require companies to provide a brief description of the nature and scope of the incident and disclose when the incident was discovered and whether it is ongoing, if any data was stolen, altered, accessed, or used for an unauthorized purpose, what effect the incident had on the company’s operations, and whether the company has remediated the incident.
To deter any purposeful delay, the proposed rule would require that the materiality determination occur as soon as reasonably practicable after discovery of the incident and would not provide for a delay resulting from an ongoing internal or external investigation of the incident, including by law enforcement.
Examples of material incidents include:
- Unauthorized activity that compromises the confidentiality, integrity, or availability of an information asset, such as data, systems, or networks, or violates the public company’s security policies or procedures.
- Unauthorized activity resulting in degradation, interruption, loss of control, damage to, or loss of operational technology systems.
- Unauthorized access, including a party exceeding authorized access, resulting in the alteration or theft of sensitive business information, personally identifiable information, intellectual property, or information that has or may result, in a loss or liability for the company.
- Incidents in which a malicious actor has threatened to sell or publicly disclose sensitive company data or Incidents in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
Following a pattern of imposing shorter timeframes for reporting, the proposed rule on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (“Cybersecurity Risk Management Rules”) requires registered investment advisers and registered investment companies to report significant cybersecurity incidents to the Commission within forty-eight (48) hours of discovery and maintain records of such incidents for five (5) years.
Reporting is limited to incidents which significantly disrupt or degrade the ability to maintain critical operations or lead to the unauthorized access or use of information resulting in substantial harm. Again, these determinations often require fact-intensive scrutiny and specific legal considerations.
Among the requirement to report significant cybersecurity incidents to the Commission, the Cybersecurity Risk Management Rules also mandate the adoption of specific security measures. These measures include:
- Conducting regular risk assessments;
- Implementing policies and controls for user access;
- Conducting periodic assessments of information systems and stored data,
- Conducting vulnerability assessments;
- Engaging in ongoing risk and vulnerability monitoring; and
- Requiring the Board of Directors to initially approve cybersecurity policies and procedures and review reports on cyber incidents and material changes to policies and procedures.
Takeaways
Both proposed rules impose reporting requirements for a broader scope of incidents than their predecessors and existing state data breach notification laws. While neither rule is currently in effect, public companies, advisers and other regulated individuals or organizations should prepare for the potential reporting requirements imposed by either law. Steps that can be taken now include:
- Assessing cybersecurity practices for the adequacy and effectiveness of existing protections with particular focus on the procedures in place for detecting, responding to, and reporting cyber incidents.
- Preparing or updating your incident response plan to account for either the four (4) business day or forty-eight (48) hour reporting window in accordance with either the Public Company Cybersecurity Proposed Rules or Cybersecurity Risk Management Rules.
- Training employees and testing your incident response and reporting procedures to keep individuals within the organization responsible for cybersecurity compliance up to date on threat landscapes, current attack vectors, and their responsibilities in response to an incident. Tabletop Exercises are effective measures to identify gaps and gauge the adequacy of any incident response plan or procedures.
Octillo continues to monitor any developments regarding the SEC proposed rules and cybersecurity incident reporting and will provide updates accordingly. As guidance on incident reporting continues to change, organizations may rely on sophisticated and experienced counsel to ensure systems and information technology teams are up to date on the latest developments. Our team of skilled incident response attorneys stands ready to assist your organization in incident planning and preparation for the proposed rules and other data security and breach notification regulations. If you have questions on incident response planning and reporting, or would like to schedule a tabletop exercise for your team, please email [email protected] or reach out to a member of our team.
*Attorney advertising: prior results do not guarantee future outcomes.