On December 18, 2023, prior to the trading session, VF Corp. (NYSE:VFC) issued a press release disclosing that the company was investigating unauthorized activity on its computer systems – and that the intrusion had encrypted some systems and compromised data. [1]
The SEC Cited a Number of Factors that Magnify Cybersecurity Risks for Investors:
- Increased digitalization of operations;
- Growth of remote work;
- Ability of criminals to monetize cybersecurity incidents;
- Use of digital payments; and
- Increasing reliance on third party IT service providers.[2]
As the parent company of numerous iconic apparel brands, such as The North Face and Vans, [3] VF Corp. went on to warn that this cyberattack had disrupted its ability to fulfill e-commerce orders and could not yet say whether the company’s finances would be affected.[4] With the last shopping week before Christmas in full swing, investors fled at the opening bell, pushing VF Corp.’s stock price lower by $1.55 per share, for a loss of more than 7.78 percent that day.
Chart: Bloomberg L.P.
VF Corp.’s disclosure was the most recent example of the SEC’s new disclosure rules in action. Those rules were first proposed in March of 2022, based on the agency’s finding that “cybersecurity risks have increased” due to the increase in commerce occurring digitally as well as other factors.[5]
The push for specific cybersecurity and incident reporting rules arose from the SEC’s conclusion that – even after more than a decade of agency guidance – the SEC “continued to believe that investors need information on registrants’ cybersecurity risk management and strategy, and that uniform, comparable, easy to locate disclosure [would] not emerge absent new rules.”[6]
The final rules,[7] which became effective on September 5, 2023, update the reporting requirements under the Securities Exchange Act of 1934 to standardize how registrants inform investors about cybersecurity, requiring both:
- Real-time disclosures about material cybersecurity incidents; and
- Periodic disclosures about a registrant’s:
- processes to assess, identify, and manage material cybersecurity risks,
- management’s role in assessing and managing material cybersecurity risks, and
- the board of directors’ oversight of cybersecurity risks.[8]
Originally, the SEC relied on a Staff Guidance document issued in 2011 that discussed the risks, contingencies, and other factors that issuers should consider when applying traditional rules regarding materiality and disclosure, pointing out that:
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.[9]
That was updated in 2018, but the new rules aim to address the SEC’s view that “disclosure practices have remained inconsistent.”[10]
Erik Gerding, the SEC’s Director of the Division of Corporation Finance, offered his personal comments on the new rules, pointing out that “[i]nvestors have indicated … that they need consistent and comparable disclosures in order to evaluate how successfully public companies” are “address[ing] cybersecurity risks and threats based on their own particular facts and circumstances.”[11]
Gerding went on to note that the SEC “balanced the need for disclosure with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks.”[12]
In keeping with prior practices, the SEC sought to leverage existing disclosure rules to ensure uniformity. As a result, public companies must disclose a cybersecurity incident within four business days after the company determines the incident to be material.[13] This allows issuers to apply the “time-tested and familiar” materiality standard and their mechanisms for Form 8-K reporting to cybersecurity developments.[14]
Importantly, if the Department of Justice determines that “a public filing would pose a substantial threat to public safety or national security,” the new rules provide for a delay in public disclosure of up to 60 days in the case of public safety or 120 days in the case of national security.[15] While it will remain to be seen how readily DOJ will make such determinations, victims of cyberattacks should engage with the Federal Bureau of Investigation directly, or through the U.S. Secret Service (USSS), Cybersecurity and Infrastructure Security Agency (CISA), or an issuer’s sector risk management agency (SRMA) as appropriate to determine whether any delay will be allowed.[16]
We will continue to monitor issuers’ responses to the new rules, as well as the SEC’s developing regulation and enforcement regarding the evolving cybersecurity landscape.
[1] J. Tabassum, Vans owner VF Corp's order fulfillment operations hit by cyber incident, Reuters, Dec. 18, 2023.
[2] Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules, Secs. & Exchg. Comm’n, available at https://www.sec.gov/files/33-11216-fact-sheet.pdf.
[3] See VF Brands, available at https://www.vfc.com/brands.
[4] Fact Sheet, supra.
[5] See Tabassum, supra.
[6] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf (“Final Rule”).
[7] Id.
[8] Id.
[9] Div. of Corp. Fin., CF Disclosure Guidance: Topic No. 2, Secs. & Exchg. Comm’n, available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
[10] E. Gerding, Dir., Div. of Corp. Fin., SEC, Statement: Cybersecurity Disclosure, Dec. 14, 2023, available at https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214.
[11] Id.
[12] Id.
[13] Id.
[14] Id.
[15] See Dept. of Justice, Material Cybersecurity Incident Delay Determinations, Dec. 12, 2023, available at https://www.justice.gov/media/1328226/dl?inline.
[16] FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements: FBI Policy Notice Summary, Fed. Bur. of Investigation, Dec. 6, 2023, available at https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements-fbi-policy-notice-summary.
The full FBI policy notice, Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice 1297N, is available at https://www.fbi.gov/file-repository/fbi-policy-notice-120623.pdf/view.
