The SEC has recently voted on new rules that will require companies to disclose material cybersecurity incidents within four days and to make disclosures about their broad cybersecurity risks in their annual report. Tom Fox and Matt Kelly discussed this issue on a recent edition of Compliance into the Weeds. Matt blogged about it on Radical Compliance.
This new set of rules represents a major shift from the past, when companies may have been asked by law enforcement not to disclose an attack until they were done tracking the attackers. The SEC has tried to balance the need for transparency with the need for law enforcement to use the information, and companies can go to the Justice Department to get permission to keep a breach private.
The SEC had originally proposed these rules nearly 18 months ago, in March of 2022. After considering public feedback, the SEC voted on the rules two weeks ago, at the end of July. Companies now have to disclose material cybersecurity incidents within four days of deciding that the incident is material. They must also make disclosures about their broad cybersecurity risks and how they manage those risks in their annual report. This includes disclosing the impact of the breach, such as the financial consequences and any qualitative effects.
The SEC has also proposed a rule that would require companies to disclose the cyber expertise of their board directors. However, this was changed due to public feedback that most of cyber risk management is done at the management level. The two Republican commissioners objected to the rule, saying it was too extensive and unnecessary, and arguing that the SEC was trying to dictate how companies should run their cybersecurity functions. The US Chamber or other groups may try to litigate over the rule, but for now, companies must disclose or discuss the processes for assessing, identifying, and managing material risks from cybersecurity threats.
The Head of the SEC Enforcement Division recently gave a speech about disclosing cybersecurity incidents and what his division looks at for bad practices that might lead to an enforcement action. The SEC Enforcement Director zeroed in on the misleading disclosure and said companies cannot engage in such conduct. He gave examples of companies who have suffered enforcement actions long before any of the new rules were adopted. First American Title Insurance and Pearson both gave misleading disclosures to investors about the nature of the breaches they suffered. First American thought the breach was not material and announced it was not a big deal, but their IT team later realized it was a big deal. Pearson suffered an extensive breach and disclosed to investors that there may have been some exposure of confidential data, when they already knew there was no ‘may’ involved. Companies need to disclose the severity of the incident and the reality of what actually happened.
To ensure compliance with the new rules, companies need to have proper policies for handling cybersecurity incidents that are useful and relevant to their company. Companies cannot simply copy language from a regulation and paste it into their policy manual and declare victory. They need to be clear and relevant to their employees about how to find red flags and how to respond to them.
We took a deep dive into the policy choice of transparency over use of information by law enforcement. Companies can go to the Justice Department and get permission from the Attorney General to keep a breach private if it is a threat to national security or public safety. Companies can then take that permission back to the SEC and tell the SEC the company will not disclose the breach for 30 days. Companies can then go back to the Attorney General’s office for another 30-day extension to keep the breach private. The SEC has tried to cut the baby in half by creating a process to keep some breaches private, but they have made clear they do not want corporate or lawyer-led gamesmanship around these disclosures and want a solid informational disclosure.
As this new rule is sure to have a major impact on how companies handle cybersecurity incidents in the future, it is important for companies to be aware of the new rules and the potential consequences of not complying. Companies need to have proper policies in place to ensure compliance, and they need to be sure to provide accurate and timely disclosures about any material cybersecurity incidents.