This month, the Securities and Exchange Commission (SEC) proposed new cybersecurity disclosure rules for publicly traded companies. The comment period is ongoing, but the take-away for public companies is immediate: a public company (no matter how large or small) needs to be prepared to immediately disclose a material cybersecurity incident.
The SEC is proposing two major filing requirements:
1. Four business day deadline for 8-K filings for material cyber incidents
This disclosure must occur after a public company determines it has experienced a material “cybersecurity incident,” defined by the SEC as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
In other words, ongoing investigations cannot be used as a basis for avoiding disclosure of material cybersecurity incidents. In tandem, a public company would also need to update 10-K and 10-Q filings related to cybersecurity incidents previously disclosed in a Form 8-K.
2. 10-K cybersecurity disclosures
The proposed new Item 106 to Regulation S-K requires the following:
- Descriptions of a public company’s policies and procedures, if any, for the management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation
- Disclosures regarding the Board of Directors’ oversight of cybersecurity risk and management’s role and expertise in managing and accessing cyber risks
- Disclosure of a series of incidents that may become material in the aggregate
How does a public company prepare for these proposed SEC cybersecurity rules?
As a cybersecurity attorney who has experienced the rush to file an 8-K after a material cyber incident even without the new mandatory deadlines, here are my suggestions:
- Engage outside cyber counsel in advance of an incident. Do not wait for an incident to occur to create a relationship with a cybersecurity attorney, especially one experienced in SEC filings. A material cyber incident can be a catastrophe for a company’s reputation and bottom line. Having a relationship in advance can be critical to making sure that your company is protected in an urgent time of need.
- Once the new rules are proposed, and even beforehand, update incident response plans to include SEC filing deadlines and concerns. Those on an incident response team may not be deeply involved in a company’s public filing rhythm. It is important they have situational awareness of what is ahead.
- Understand you may not know much in the first four days of an incident. Be prepared for a bit of chaos. In the first four days of an incident, it is not uncommon to have little information about the extent of an incident and how far-reaching it may be. By day four of a ransomware event, for example, you may have only a threat actor’s claims and some understanding that your systems are encrypted. You may not know whether backups are fully viable at that time. Allow wiggle room in your disclosures for what you may learn after the initial disclosure.
- Check your cyber insurance for coverage that would specifically help you as a public company. Have outside cyber counsel review your cyber insurance for gaps. For example, increased SEC disclosure requirements may heighten your need for PR firms specializing in cyber crises.
- Train your Board and senior management on cyber issues with outside parties. Gone are the days of hiding from cyber or claiming no knowledge. Get outside cyber counsel to conduct trainings under the cover of the attorney-client privilege for your Board and management team.
Whatever happens with the proposed SEC cyber rules (pdf), it is clear the SEC will continue to focus on a registered company’s cyber practices. Take time now, before an incident, to prepare. If you have questions, Woods Rogers Cybersecurity & Data Privacy team is ready to assist.