Last week, Paul Hastings attended the Securities and Exchange Commission (SEC) Speaks 2024 event presented by the Practising Law Institute (PLI) in cooperation with the SEC on April 1 and 2. The SEC Speaks program provides essential updates on current initiatives and priorities at the SEC. The SEC Speaks 2024 event included remarks by the SEC Chair and Commissioners along with panel discussions by senior staff at the Division of Investment Management, Trading and Markets, Corporation Finance, Enforcement, Examinations, and Economic and Risk Analysis, and the Offices of the Chief Accountant, General Counsel, and more.
Updates Regarding Rules on Cybersecurity Incident Reporting and Risk Management, Strategy, and Governance
The Division of Corporate Finance held a panel covering several updates, including updates regarding the new SEC rules on cybersecurity incident reporting and cybersecurity risk management, strategy, and governance (the “New Rules”), which became effective as of December 18, 2023. The New Rules were originally approved by the SEC in July 2022 and call for (i) real-time disclosure (96 hours) of cybersecurity incidents on Forms 8-K or Forms 6-K, as applicable, and (ii) annual disclosure of an issuer’s cybersecurity risk assessment processes and the respective roles of its board of directors and management in overseeing and managing cybersecurity threats.
SEC Division of Corporation Finance Director for Legal and Regulatory Policy, Mellissa Campbell Duru, spoke extensively on the New Rules. Ms. Duru covered both key items that reflect changes since the New Rules were proposed and clarifications based on questions the SEC has received regarding the New Rules. These updates from Ms. Duru are covered below.
Key Items Reflecting Changes since New Rules were Proposed
Materiality on Forms 8-K: The New Rules’ disclosure requirements include reporting of material cybersecurity incidents and specifically the material aspects of those incidents including the nature, timing, and scope. The New Rules make it clear that a registrant need not disclose specific technical information about its planned response to an incident or its systems in such detail that it would impede any response or remediation efforts.
Disclosure scope in Forms 8-K: The New Rules’ include a narrowed scope of disclosure since their initial proposal. To narrow the scope of disclosure, the SEC added a limited delay provision for disclosures that would pose a national security or public safety risk. Whether a disclosure would propose a national security or public safety risk is a determination made by the United States Attorney General (US AG). If the US AG determines a disclosure would pose a national security or public safety risk, this would cause the delay provision to kick in for reporting a cybersecurity incident via the Form 8-K Item 1.05 requirement.
Disclosure of expertise in Form 10-K: Though the proposed rules initially required that there be a cybersecurity expert involved, the New Rules now only require the disclosure of relevant expertise of any members of management who are responsible for assessing and managing risks.
Ms. Duru noted that the changes reflect significant stakeholder input and she pointed to the US AG’s guidance and SEC’s guidance on reporting, including the statement made by SEC Director of Division of Corporation Finance, Eric Gerding, whereby he provided more information on complying with the New Rules.
Ms. Duru further explained that the New Rules do not aim to disrupt how companies regularly handle their cybersecurity incidents. Rather, the New Rules are meant to be additive to processes already in place at companies for handling cybersecurity incidents and require new lines of communication between legal and technical experts that have typically been siloed. She added that legal experts would need to teach those involved in determining materiality of cybersecurity incidents on what would be considered material.
Updates Regarding Risk Alerts on Cybersecurity
The Division of Examinations held a panel covering several updates, including updates regarding the most recent cybersecurity risk alert issued. Risk alerts are used to communicate with investors and to enhance compliance. Co-Associate Director of the Advisor/Investment Company Examination Program, Vanessa Horton, explained that risk alerts are critical in that they provide a roadmap to issues that the SEC is identifying and gives companies a look at risks that the Division of Examinations sees.
Recent Cybersecurity Risk Alert
Assistant Director of the Division of Examinations, Rich Hannibal, highlighted the most recent cybersecurity risk alert issued, which was about safeguarding customer records and information at branch offices. Mr. Hannibal further noted exam priorities this year include conducting exams in the topic area of safeguarding records and branch offices. Key observations expressed by Mr. Hannibal include:
- Some firms are centrally managed in controlling network/IT policies
- Other firms are decentralized and allow branches discretion in how they operate, so branches lack oversight and consistency; some issues specific to branches include:
- Lack of due diligence with vendors
- Lack of compliance with email security
- Password complexity dissimilar to what is required at main office
- Multi-factor authentication dissimilar to what is required at main office
- Lack of updates for patching
Risk areas of note
Artificial Intelligence (AI): Ms. Horton explain AI risks need to be mitigated by controls. Specifically, she explained that although AI can provide operational efficiencies, appropriate supervisory controls, disclosures, and governance must be in place. Ms. Horton further noted the importance that registrants’ use of AI does not prioritize the firm’s needs over clients’ needs so that investors are not misled. Ms. Horton concluded in saying there should always be a “human in the loop” when AI is used and there must be systems in place to ensure no loss of client data when using third party AI.
Threatening technology: Mr. Hannibal expressed the expectation of increasing deepfakes and phishing with impersonations. He highlighted there was a January investor alert issued by the SEC and National Aeronautics and Space Administration (NASA) on AI tech used to scam investors. Further, Mr. Hannibal noted that the SEC chair has spoken on AI emphasizing the importance of firms having appropriate guardrails and continued testing, maintenance, and appropriate governance in place when using AI.
