Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
August 1st, 2023
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. The Rules also address periodic disclosure of cybersecurity risk management practices, strategies, and governance. The Rules go into effect in December, 2023, the exact date to be determined as of the day the final Rules are published in the Federal Register.
This article focuses on the steps a company should take to make required disclosures without running afoul of the Securities Exchange Act. Section 240.10b-5 (commonly referred to as “Rule 10b-5”) prohibits fraudulent or deceptive acts or omissions in connection with securities. Relevant for our purposes here, Rule 10b-5 states that it is unlawful “[t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading.” Disclosures concerning the precise facts known, or unknown, about an incident at any given time, as well as clear and materially accurate representations of a company’s cybersecurity practices will become paramount under these new SEC Rules.
Here are six things that a public company can do now to implement the Rules in a structured manner to reduce the risk of non-compliance:
1. Add a lawyer cross-trained on cybersecurity and securities disclosure to the internal and external incident response and risk management teams.
Incidents move very quickly and evolve rapidly. What a company believes happened at the beginning of the incident is likely to be incorrect, or at the very least, imperfect. Incident response lawyers primarily focus on privacy breach notification requirements and the legal issues associated with ransom payments.
Forensic investigators will tell you what they observe based upon available logs, but they should not be speculating on what may have occurred – that is not their function, except in limited circumstances. Someone who speaks both the language of securities disclosure and the language of cybersecurity incident response is necessary for interpreting the known or suspected factual findings to make timely – and perhaps most importantly, accurate – disclosures. This lawyer should also be added to the cybersecurity risk management teams, including those that oversee cybersecurity assessments and internal policies and procedures.
2. Draft incident disclosure language to cover the most prevalent and anticipated incidents.
During a major incident, there will be tremendous confusion. If a company has not considered the disclosures necessary in a Form 8-K long before the incident occurs, the teams that are addressing the incident may be pulled into a complicated securities disclosure drafting process.
Issues, such as potential loss of customers and large contracts, disruption to operations caused by the attack or remediation efforts, changes to controls necessary for future protection against existing control failures, lawsuits, and regulatory actions will all have to be considered. It is far better to work through what the company will say in advance of the major types of incidents likely to occur (i.e., ransomware, network penetration with lateral movement and privilege escalation, data exfiltration, DDoS attack, and other business interruption). The draft disclosures will need to be revised based on the facts as they are observed and reported by the forensic investigators.
3. Appoint a technical person as a securities incident and risk management disclosure technical adviser.
This person should be separate from the main incident response team, which will be focused on the investigation and remediation of the incident. The technical person needs to be cross trained on securities law, so that they are able to help interpret the forensic investigator report for the securities disclosure team, as well as play a similar role in drafting the cyber risk management and governance disclosures.
4. Use the FIPS 199 to develop a materiality analysis.
Federal Information Processing Standards Publications (“FIPS”) 199 is a technical document produced by the National Institute of Standards and Technology (“NIST”). It sets out cybersecurity standards that federal agencies, including the SEC, are required to follow. Although FIPS 199 generally does not apply to commercial entities, it contains the definitions from Federal law of “Confidentiality,” “Integrity,” and “Availability,” plus definitions for impact levels of “Low,” “Moderate,” and “High.” FIPS 199 provides a structured way to interpret the potential risks. This will provide a defensible position on key portions of the materiality analysis.
5. Include a communications team in the incident response plan.
Bringing on a communications team after an incident has been determined to be material is likely too late. During an incident, disclosures may need to be made to multiple parties, including customers, third parties, regulators, affected individuals, and potentially, the public. Coordination of these communications becomes particularly important with specified public disclosures being required under the Rules. Ensuring securities law compliance in all communications is of particular importance during a major incident.
6. Review third-party agreements immediately.
Many third-party agreements, especially with large service providers (such as cloud providers, banks, SaaS providers, and other providers with significant market power), do not have contracts with robust incident reporting language that would allow customers to easily make materiality determinations relating to cybersecurity incidents that take place in the provider systems. Although the SEC did not require particular contract language that registrants must use with third parties, some may have contract language that supports notifications, and it is not currently clear how the SEC and plaintiffs attorneys will view differences in the timing and content of public notifications related to service providers with large scale incidents, where some companies file 8-Ks and others do not. Companies may also choose to use FIPS 199 to internally categorize the risks from service providers to help focus the analysis of contracts. In addition to contractual provisions, companies may establish monitoring of service providers that are categorized with a potential “High” impact for news and social media reports of cybersecurity incidents.
The SEC is requiring companies to file disclosures relating to cybersecurity. A key risk is that the disclosures will contain material misstatements or fail to disclose material information. The gap in language and understanding between the securities reporting teams and the cybersecurity teams is so large that cross training and a highly structured approach to communication and interpretation are necessary for public company risk management in cybersecurity disclosure.
If you have questions about the SEC Public Company Cybersecurity Rules please contact Rick Borden at (212) 705-4884 or rborden@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023
CPRA Regs: 8 New Obligations You Need to Know
On February 14, the CPPA, California’s new privacy regulatory agency, filed the first part of its proposed final CPRA Regs with California’s Office of Administrative Law (OAL). Read more.
February 21 2023