SEC on offense for cyber defense: New rules for companies
With football season almost upon us, we can soon look forward to frequent use of the sports adage, “the best defense is a good offense.” Last week, the Securities and Exchange Commission seemed to invoke a regulatory version of the metaphor when it finalized aggressive and extensive cybersecurity rules for public companies centered on cyber risk management, governance and strategy, as well as sweeping disclosure requirements for material cybersecurity incidents.
In a statement following the adoption of the rules, SEC Chair Gary Gensler remarked, “(w)hether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.” The new rules require companies to disclose in a Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its impact on the company. The Form 8-K will generally be due within four business days of the date on which the company determines the cybersecurity incident to be material. Companies are required to make the determination as to the materiality of a cybersecurity incident without unreasonable delay after discovery of the incident. Additionally, the new rules require companies to annually disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats, and to describe how the board of directors oversees cybersecurity risks, as well as management’s role in assessing and managing cyber threats.
Originally proposed in March 2022, the much-anticipated rules received significant industry feedback and over 150 comment letters over the last year. “[M]any public companies provide cybersecurity disclosure to investors,” continued Chair Gensler in his statement. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” Public companies (other than smaller reporting companies) must comply with the new Form 8-K cybersecurity incident reporting requirements starting the later of 90 days following publication in the Federal Register and Dec. 18, 2023. The annual disclosures will be due starting with annual reports for fiscal years ending on or after Dec. 15, 2023, which would be the Form 10-K for 2023 (filed in 2024) for companies with a calendar year end.
In addition to these “letter of the law” requirements in the regulations and in the wake of infamous cyber incidents like those that impacted Colonial Pipeline and Solar Winds, these rules also speak to trending “spirit of law” expectations of regulators towards increased cybersecurity maturity and transparency. As a result and leading up these year-end SEC requirements, companies should consider assessment and updates to the following: (1) existing risk management processes for identifying and managing material risks from cybersecurity threats, including how the board of directors oversees cybersecurity risks and management assesses and manages the company’s response to cyber threats; (2) existing cyber incident response plans and procedures, including the processes and timing of legal and regulatory notifications; and (3) the potential impacts of a material cybersecurity incident to the company and its stakeholders.
Bottom line: It appears, in both letter and spirit, that the best defense to cybersecurity regulation continues to be “defensible” cybersecurity defense — for now.