Preparing for SEC’s New Cybersecurity Rules

Anthony Caldwell, Angela Kim, Diamond Zambrano
Snell & Wilmer
Contact
LinkedIn
Facebook
X
Send
Embed

Snell & Wilmer

Background
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted final rules relating to enhanced cybersecurity disclosures, which became effective on September 5, 2023 (the “Final Rules”). Beginning in December 2023, the Final Rules will require public companies to promptly disclose material cybersecurity incidents and information regarding their cybersecurity risk management, strategy, and governance.This alert focuses on practical preparation tools for companies facing compliance with the requirements of the Final Rules.

Preparation for the Final Rules
In light of the changes brought by the Final Rules, public companies should consider the following actions:

  • Review Existing Vendor Contracts. Companies should review protections in existing vendor contracts that address cybersecurity incidents and determine whether any contractual revisions or changes are needed to accommodate the Final Rules. Such revisions may include adding express provisions to address claims or liabilities arising from the required disclosures under new Item 1.05 of Form 8-K, which requires disclosure within four business days if a registrant experiences a “cybersecurity incident” that is determined to be material.
  • Vendor Due Diligence. For prospective vendors, companies should perform a thorough cybersecurity due diligence investigation now more than ever because required disclosures of cybersecurity incidents include unauthorized occurrences and “related unauthorized occurrences” on the company’s information systems that jeopardize the confidentiality, integrity, and/or availability of the company’s information systems or any information residing therein. Such information systems include those owned or used by the company. Hence, required disclosures extend to systems owned by third-party vendors. Companies should therefore understand each vendor’s cybersecurity framework, including risk management, strategy, and governance disclosure processes. Each vendor’s reporting process and incident response framework should be closely assessed. Furthermore, companies should determine each vendor’s cybersecurity readiness by looking for risk assessment programs and strong notification procedures.
  • Implement Contractual Commitments to Address Notification. Following a strong due diligence investigation, companies should ensure that contractual commitments and written policies are in place with vendors for prompt notification of cybersecurity incidents. For example, an effective information security addendum requires a vendor to maintain formal and documented cybersecurity policies and procedures, including prompt notification and supply of detailed, necessary information of cybersecurity. Such procedures should allow companies to efficiently evaluate and disclose cybersecurity incidents. Additionally, all vendor agreements should include contractual protections to allow companies to oversee and assess risk using their own internal processes.
  • Team Preparedness for Cyber Incidents. Historically, companies have largely tracked cyber incidents through their information security teams. Compliance with each of the Final Rules, however, will require companies to adopt coherent and consistent procedures that their board and management can comfortably follow. The Final Rules stress the importance of governance disclosures in enhancing cybersecurity risk management by requiring companies to describe their board of directors’ oversight of cybersecurity risks, as well as management’s role, under new Item 106(c) of Regulation S-K. Therefore, companies should have coherent and consistent policies and procedures in place for their board and management to effectively oversee, detect, and monitor such risks. Companies should strive to provide information that is easily accessible and sufficiently straightforward for the board to efficiently and effectively assess cyber risks and occurrences. Under new Item 106(b) of Regulation S-K, the SEC requires companies to disclose risk assessment processes that are sufficiently detailed but clear for a reasonable investor to understand. Overly technical and complicated language could deter the company’s board and management from properly tracking and reporting cyber incidents, resulting in violations and possibly even SEC enforcement actions. Additionally, companies should emphasize consistency when addressing cyber incidents, so the board and management are receiving and understanding all necessary information from different teams (including appropriately assigning responsibilities). For instance, the board and management should decide on a step-by-step process for tracking the factors considered for determining a “material” cybersecurity incident, disclosed on Form 8-K (or Form 6-K), and use and enforce that process consistently.

    To test the effectiveness of their cybersecurity framework, companies should consider management-led tabletop or simulation exercises. During such exercises, teams should enact current procedures in place to address cybersecurity incidents and internal escalation of occurrences. Such activities should allow the board and management to evaluate their risk management plans and procedures and increase efficiency in the decision-making process by mapping out clear roles and responsibilities. Team exercises should help the board and management make the necessary changes to their current disclosure procedures to conform to the new disclosure requirements under the Final Rules.

    Finally, companies should seek assistance from their chief information security officer and/or chief information officer and ensure such officers relay important information regarding cybersecurity measures to the rest of the board and management. Companies may also consider assembling internal teams and assigning different responsibilities to each team or seeking the assistance of external advisors. Inviting third-party consultants should also prove helpful for strengthening cybersecurity frameworks.

  • Consult Cyber Insurance Brokers. Companies should have annual briefings with their board on cyber insurance and allow brokers to discuss cybersecurity risks and liabilities and their financial impact on the directors and officers of the company. Cyber insurance brokers can help companies and businesses consider different cyber insurance options and find the right insurance coverage depending on the level of security required. Companies should acquire adequate coverage, taking into consideration the rigorous Final Rules.

Footnotes: 

. U.S. Securities and Exchange Commission, Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (July 26, 2023). 
. For more information, see our prior article “SEC’s Final Rule on Cybersecurity, Risk Management, Strategy, Governance, and Incident Disclosure.”

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer
Snell & Wilmer
Contact
more
less

Snell & Wilmer on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide