SEC cybersecurity disclosure rules: What might the impacts on boards of Directors be?
It would hardly be considered ‘breaking news’ to suggest that there is an ever-increasing understanding of the need for companies to be open and transparent around cyber events. Likewise, the governance and reporting obligations faced by companies, and company boards, around all aspects of the running of a business is showing no sign of decreasing anytime soon.
Against this backdrop, the Securities and Exchange Commission in the US (“the SEC”) has recently introduced new rules spelling out what is going to be expected of US listed companies (US domiciled and foreign), going forwards, in relation to the reporting of and management of “cybersecurity incidents”.
The stated purpose of the rules is to enhance and drive more consistency in company disclosures around cybersecurity incidents when they arise and, ongoing, around the management, oversight and governance of cybersecurity risks. The question is, and time will tell, whether the rules achieve their aims and at what cost.
The main tenets of the new rules are explained within the SEC Fact Sheet. In a nutshell, public listed companies are going to be expected to disclose any cybersecurity incidents they deem to be “material” within 4 business days of reaching that determination (such determination not to be unreasonably delayed). This disclosure requires an explanation to be provided as to the nature and scope of the incident, as well as the likely material impacts.
Beyond this, the rules also require companies to include, within their annual disclosure filings, the processes in place for identifying, assessing, and managing cybersecurity threats, to describe the boards’ oversight of the risks and the role of the company management in assessing and managing them.
There is a logic in requiring companies to share their experiences of cyber incidents and to report on their assessment and management of cyber risks posed to the business. Knowledge of cyber threats and how they can be tackled is to the benefit of everyone, national economies, businesses, investors and individuals. However, whilst many cyber incidents can reasonably quickly be recognised as being serious, or to use the SEC language, “material”, this is not the same as saying that companies can quickly explain the full nature of an incident or its expected impacts. Equally, what one company board considers “material” may be fundamentally, and legitimately, different to what another company determines as “material”. Finally, there is a question to be asked about whether the resources invested in making timely disclosures support or, potentially, detract from the work of dealing with a live cyber incident as it is developing.
Evolution of cyber incidents
Cyber incidents, like any negative business event, evolve over time depending on any number of factors. Careful thought therefore needs to be given, when complying with the SEC disclosure rules, both in terms of the timing of disclosures and the detail to be provided. There should also be a focus on ensuring disclosures made during a cyber incident remain consistent with the steps being taken to deal with it and, later, the information that may follow and be included within annual disclosure filings. Mistakes made, information shared or withheld will be open to scrutiny, often with the benefit of hindsight, and this will provide scope for companies and their boards to face some challenging questions about their decisions and conduct.
These challenging questions may begin before any cyber incident occurs at all. Directors must ensure that the mere notion of a potential cyber incident in the future is at the forefront of the company’s minds and in its boardrooms. Discussions and protocols around the actions to be implemented, if a cyder incident were to occur, must be in place to avoid both regulators and any securities plaintiff lawyers accusing the Directors of substandard oversight of events after the fact. This will mean companies must be proactive in their steps to ensure a tight net is around their systems and have a clear and structured plan of action with internal/external partners to address cyber incidents if/when they occur. The sorts of external partners that companies should have in mind are, first, their insurers, and then the likes of lawyers, incident response providers, IT forensics and PR consultants (to name, but a few examples).
The other potential risk that should be at the forefront of companies’ minds is the timing of any disclosure they submit to the SEC. The guidance from the SEC states that the four business day window for disclosure runs from the date that the company determines that the cyber incident is ”material”. This begs the question, what does “material” mean in the context of a cyber event?
Within the definition section of the SEC published document, no specific definition of materiality has been given. The SEC states:
“We decline to define any other terms.
We acknowledge commenters who asked for additional guidance regarding the application of a materiality determination to cybersecurity or sought to replace materiality with a significance standard.
As noted in the Proposing Release, however, we expect that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces.”
Therefore, companies must ask themselves, when thinking about disclosure, what is the “…materiality considerations as would be applied regarding any other risk or event that a registrant faces.”?
The issues presented with this approach touch on various facets of the business such as financial, operational, brand perception, customer network and so on. The timing of each cyber related SEC disclosure will be very sensitive.
A hurried disclosure on a live incident (which is common in cyber events) may lead to an unintentional misstatement of materiality on the financial and operational front. This could lead to shareholder actions whose decision making was determined by the initial disclosure, even if subsequent updating disclosures are made.
On the other hand, a disclosure which is complete and comprehensive may take longer to assess, and so file, when dealing with the many moving parts of cyber incident. In turn, the SEC/shareholders could determine/allege a delay in the disclosure.
An example of this may occur when various unrelated companies are affected by one incident. One or more of these companies may disclose the incident to the SEC before others. This incident therefore is in the public domain and being reported on in the media.
An alleged delay by another company in disclosing the incident could result in alleged losses to shareholders due to reputational damage, customer relationship breakdown, media scrutiny and so on. It is at this moment that the company will have to demonstrate strong protocols, at board level, and that materiality was determined within 4 business days of the disclosure to the SEC.
Either way, securities plaintiff lawyers will be inspecting firms’ disclosure documents in forensic detail and be attempting pick apart weaknesses in those disclosures.
Moving forward
The new SEC rules have understandable and laudable aims. How realistic it is for companies locked in a ‘battle’ with an active cybersecurity incident to provide detailed, public disclosures is however open to question. Likewise, the ability of companies to deal with events as they are happening and attend to their regulatory, legal and governance reporting obligations is likely to be variable. However, the key starting point for all companies should be to install a framework at board level for the actions to be taken in the event of a cyber incident.
This protocol must be visible at board level, publicised amongst relevant employees and rehearsed as part and parcel of a company’s business continuity planning. This will support and aid implementation if or when an incident occurs. Forward looking and early planning will give companies the best possible tools to be able to conclude an incident as soon as possible, in the short term, and measure the potential impact of that incident in the longer term, so as to abide by their regulatory and shareholder obligations.
