Categories
Blog

SEC Formalizes New Rules on Cyber Breach Disclosures

The SEC has recently voted on new rules that will require companies to disclose material cybersecurity incidents within four days and to make disclosures about their broad cybersecurity risks in their annual report. Tom Fox and Matt Kelly discussed this issue on a recent edition of Compliance into the Weeds. Matt blogged about it on Radical Compliance.

This new set of rules represents a major shift from the past, when companies may have been asked by law enforcement not to disclose an attack until they were done tracking the attackers. The SEC has tried to balance the need for transparency with the need for law enforcement to use the information, and companies can go to the Justice Department to get permission to keep a breach private.

The SEC had originally proposed these rules nearly 18 months ago, in March of 2022. After considering public feedback, the SEC voted on the rules two weeks ago, at the end of July. Companies now have to disclose material cybersecurity incidents within four days of deciding that the incident is material. They must also make disclosures about their broad cybersecurity risks and how they manage those risks in their annual report. This includes disclosing the impact of the breach, such as the financial consequences and any qualitative effects.

The SEC has also proposed a rule that would require companies to disclose the cyber expertise of their board directors. However, this was changed due to public feedback that most of cyber risk management is done at the management level. The two Republican commissioners objected to the rule, saying it was too extensive and unnecessary, and arguing that the SEC was trying to dictate how companies should run their cybersecurity functions. The US Chamber or other groups may try to litigate over the rule, but for now, companies must disclose or discuss the processes for assessing, identifying, and managing material risks from cybersecurity threats.

The Head of the SEC Enforcement Division recently gave a speech about disclosing cybersecurity incidents and what his division looks at for bad practices that might lead to an enforcement action. The SEC Enforcement Director zeroed in on the misleading disclosure and said companies cannot engage in such conduct. He gave examples of companies who have suffered enforcement actions long before any of the new rules were adopted. First American Title Insurance and Pearson both gave misleading disclosures to investors about the nature of the breaches they suffered. First American thought the breach was not material and announced it was not a big deal, but their IT team later realized it was a big deal. Pearson suffered an extensive breach and disclosed to investors that there may have been some exposure of confidential data, when they already knew there was no ‘may’ involved. Companies need to disclose the severity of the incident and the reality of what actually happened.

To ensure compliance with the new rules, companies need to have proper policies for handling cybersecurity incidents that are useful and relevant to their company. Companies cannot simply copy language from a regulation and paste it into their policy manual and declare victory. They need to be clear and relevant to their employees about how to find red flags and how to respond to them.

We took a deep dive into the policy choice of transparency over use of information by law enforcement. Companies can go to the Justice Department and get permission from the Attorney General to keep a breach private if it is a threat to national security or public safety. Companies can then take that permission back to the SEC and tell the SEC the company will not disclose the breach for 30 days. Companies can then go back to the Attorney General’s office for another 30-day extension to keep the breach private. The SEC has tried to cut the baby in half by creating a process to keep some breaches private, but they have made clear they do not want corporate or lawyer-led gamesmanship around these disclosures and want a solid informational disclosure.

As this new rule is sure to have a major impact on how companies handle cybersecurity incidents in the future, it is important for companies to be aware of the new rules and the potential consequences of not complying. Companies need to have proper policies in place to ensure compliance, and they need to be sure to provide accurate and timely disclosures about any material cybersecurity incidents.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Once A Con, Always A Con

What happens when two top compliance commentators get together? They talk compliance of course. Join Tom Fox and Kristy Grant-Hart in their podcast, 2 Gurus Talk Compliance, as they dive into hot compliance topics. In this episode, they cover the Elizabeth Holmes goes to prison, the current office imbroglios, a record whistleblower award, the perils of using ChatGPT, cyber breach reporting, Gartner and trust and lightening and compliance. With their unique insights and engaging storytelling, this podcast is a must-listen for anyone in the compliance field. Don’t miss the latest episode of 2 Gurus Talk Compliance and stay ahead of the curve!

Highlights Include

·      Racial Justice at the Board

·      Gartner FCPA enforcement action

·      Cyber Incident Reporting

·      AI and Corporate Governance

·      Once a con, always a con

·      Record whistleblower award

·      WFH, RTW and Hybrid-Work

·      CCO Comp

·      Using ChatGPT

·      Penalties low, benefits high

 Resources 

  1. Racial Justice Initiative
  2. Gartner FCPA enforcement action
  3. FSB Report on Cyber Incident Reporting
  4. AI and Corporate Governance
  5. What the Hell Happened Here?.
  6. Record $279 Million Whistleblower Award
  7. Thank Goodness We Didn’t Get Struck by Lightening
  8. 3 Tips for Adapting to the Post-Pandemic Culture Shock at Work
  9. CCO Compensation Up 8%
  10. Here’s What Happens when Your Lawyer Uses ChatGPT

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Blackbaud – Failures in Cyber Breach Disclosures

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, we discuss the consequences of insufficient disclosure regarding cybersecurity risks, as demonstrated in the recent Blackbaud SEC enforcement action. The SEC requires companies to proactively disclose material events, and the Delaware Court of Chancery is making it clear that senior executives are responsible for ensuring compliance with disclosure requirements. Tune in next week to hear more Compliance into the Weeds from Tom and Matt. 

Key Highlights

·      The cost of poor communication: $3 million lesson from Blackbaud’s FCC fine.

·      Disclosure Controls and the Sarbanes Oxley Act

·      The Consequences of Failing to Comply with the SEC and FCC Regulations on Reporting Data Breaches

·      SEC Cracking Heads and What’s Next 

Notable Quotes:

1.      “Do words still matter? I think that they do.”

2.     “I couldn’t think of at least 3 million reasons why that was a bad idea in hindsight, and maybe they should have been more forthcoming.”

3.      “Oh, well, actually, you know, we missed the revenue target, but we forgot to tell the CFO people would be fired. You know, there would be heads stuck on the pikes. In front of the office lobby or something like that.”

4.     “A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could, and that’s the word. Could adversely affect our reputation with our customers and others.”

 Resources

Matt  on LinkedIn

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn