Key Takeaways
- Since 2022, the U.S. Securities and Exchange Commission (SEC) has proposed several cybersecurity rules applicable to numerous regulated entities that, if adopted, would impose quick notification obligations and heightened disclosure requirements.
- Amid significant pushback during the public comment period, the SEC announced it would delay issuance of these rules, which are now expected to be finalized in October 2023 and April 2024.
- Because cybersecurity risks will continue to evolve more rapidly than the SEC’s public rulemaking process, public companies, investment advisers, broker-dealers, and other entities that may be impacted by these rules should not wait to address these risks, even in the face of regulatory uncertainty.
- After all, the SEC has already brought enforcements actions relating to cybersecurity incidents even in the absence of these proposed rules being finalized, and existing SEC and other regulatory frameworks already require baseline disclosure, notification, and safeguarding measures that these proposed SEC rules seek to enhance.
The SEC’s Cybersecurity Proposals
The SEC has proposed four rules designed to address cybersecurity risk and management, including incident reporting by public companies.
Final Rules Anticipated in October 2023:
Final Rules Anticipated in April 2024:
On June 19, 2023, the SEC published notice of a Sunshine Act Meeting scheduled for July 26, 2023, wherein it will consider adoption of rules to enhance and standardize disclosures related to cybersecurity risk management, strategy, governance, and incidents by public companies subject to reporting requirements of the Securities Exchange Act of 1934.
A. Public Company Proposals
Of the rule proposals, the Proposed Public Co. Rule, released in March 2022, received the loudest response from industry participants, given the wide net the SEC seeks to cast and the level of detail it seeks in required disclosures. Namely, the Proposed Public Co. Rule includes new reporting and disclosure requirements, with new current reporting requirements for disclosing material cybersecurity incidents on Form 8-K and new periodic disclosure requirements for updating previously disclosed incidents and describing management and board oversight of cybersecurity risks. In announcing the proposed rule, SEC Chair Gary Gensler claimed that if adopted, the Proposed Public Co. Rule “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” It is not clear, however, whether investors are actually asking for this.
The Proposed Public Co. Rule contains provisions concerning three specific areas:
- Incident disclosure: The SEC proposed disclosure within four business days of identification of a material cybersecurity incident under Form 8-K, and disclosure of material changes or updates to prior disclosures under Forms 10-Q and 10-K pursuant to new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F.
- Risk management: The SEC proposes disclosure of management’s role in implementing cybersecurity policies and procedures, including risk management and strategy, pursuant to new Item 106 of Regulation S-K and new Item 16J of Form 20-F. These rules would also require disclosure of board oversight, including how cybersecurity risks are factored into company strategy, financial planning, and capital allocation. Moreover, the SEC proposes required disclosure concerning whether the company has a chief information security office (CISO) as well as policies and procedures targeted at identifying and managing cyber risk.
- Cybersecurity expertise: The SEC proposes disclosure of board members who possess cybersecurity expertise in assessing and managing cybersecurity risk pursuant to amended Item 407 of Regulation S-K and Form 20-F.
The most commented-on aspect of these proposed requirements relates to the rapid time frame for reporting material[1] incidents, without any exceptions for ongoing investigations. Specifically, the proposed regulation would require the reporting of a cybersecurity incident within four business days of a materiality determination, which many critics of the proposal found could pose significant constraints on investigations both internally and/or in connection with other government agencies. In fact, it has been reported that the FBI has concerns about the four-business-day disclosure requirements because the short window could require public companies to disclose incidents even where there is an active case undertaken by law enforcement.
Comments received on the proposed rule also raised that the four-business-day time frame could interfere with a company’s ability to remediate the cybersecurity incident, as its resources would be split between understanding the nature and scope of the breach and its reporting obligations to the SEC. Additionally, certain covered entities noted their concern that mandatory disclosure could further embolden a hostile actor to use different tactics to more effectively mask cyber intrusions and/or destroy certain indicators of a compromise. There are certainly scenarios—though probably less common than comment letters suggest—where a public disclosure could jeopardize the efficacy of a company’s containment plan or interfere with a law enforcement investigation. So, it would make sense for the SEC to build in an exception to accommodate those scenarios (similar to how state breach notification laws do). And, although a lot of attention was paid to the four-business day disclosure obligation, it is essentially what companies have already been operating under (based on general materiality determination scenarios).
B. Investment Adviser, Investment Company, and Broker-Dealer Proposals
The SEC has also proposed rules that will impact broker-dealers, registered investment advisers, and investment companies. First, proposed rules under the Investment Advisers Act and Investment Company Act would require investment advisers and investment companies to adopt written cybersecurity policies and disclose “significant” cybersecurity incidents to the SEC on behalf of a fund or a private fund client. Second, proposed amendments to Regulation S-P would require covered entities to adopt written response plans and notify customers of specific types of cybersecurity incidents.
1. Investment Advisers and Investment Companies
The Proposed IA Rule, which applies to investment advisers and investment companies, includes even shorter incident reporting timelines than the aforementioned Proposed Public Co. Rule. Specifically, this proposal would require the submission of a new Form ADV-C within 48 hours after there is a reasonable basis to conclude that a significant incident occurred. But unlike the reporting requirement under the Proposed Public Co. Rule, this disclosure would be confidential. While the SEC notes that these reports would allow it to “assess the potential systemic risks affecting financial markets more broadly,” industry participants have lamented the need to balance these new disclosure requirements with resolving cybersecurity incidents, including diverting money and resources from incident response to completing regulatory findings (perhaps with incomplete information).
Additionally, investment advisers and investment companies would be required to implement and review written policies and procedures; engage in periodic risk assessments, security monitoring, and vulnerability management; conduct incident response planning; and execute security training. Fund advisers would also be required to disclose cybersecurity risks and incidents on registration forms and Form ADV, which could perhaps cut against or conflict with the confidential disclosure requirements of a cyber incident.
2. Broker-Dealers
The proposed amendments to Regulation S-P, which would impose requirements on broker-dealers, funds, and advisers (what the SEC refers to here as “covered institutions”), would institute written policies and procedures for an incident response program, including requiring covered institutions to provide timely notification to affected individuals whose sensitive customer information was accessed or used without authorization.
This proposal specifically focuses on the customer notification requirement, which must be made as soon as practicable but no later than 30 days after the covered institution becomes aware of the incident. To the extent, however, that the covered institution determines that the sensitive customer information was not actually or reasonably likely to be used in a manner that would result in harm or inconvenience, notice is not required.
Additionally, the proposal would require covered entities to adopt incident response programs as part of their written policies and procedures under the safeguards rule. The proposals must be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information . . . and contain and control such incidents.”
Analysis and Recommendations
Although finalization of these rules and the form in which they will take shape are uncertain, there are a number of preparatory steps covered entities can take now. This is particularly crucial given the SEC’s long line of enforcement actions against regulated entities for safeguarding information concerning identity theft violations and against public companies for disclosure and control violations relating to cyberattacks. Significantly, in June 2023, software developer SolarWinds disclosed that current and former executives, including its chief financial officer and CISO, were informed of the SEC’s intention to bring an enforcement action arising from a 2020 cyberattack on the company. With this, the SEC has made clear that even without these proposed rules, it still has sufficient enforcement mechanisms to police purported lapses in disclosures related to cybersecurity.
A. Incident Response
SEC enforcement actions to date against public companies related to security incidents have primarily focused on companies that did not have sufficient internal controls and procedures to ensure that incidents were escalated to the right people at the right times to ensure that public reporting obligations were done meaningfully and accurately. Companies can use the incident classification rubric in their incident response plan (e.g., categorizing incidents as low, medium, high, critical) to build internal protocols that are designed to ensure the internal disclosure committee is made aware of incidents that have the potential to impact disclosures. Companies can then test these procedures in incident response tabletop exercises and then brief executive teams and boards regarding the exercises and protocols to ensure alignment and enable appropriate oversight.
B. Risk Management and Strategy
Most regulators have coalesced around the belief that an effective security program should be built by conducting a risk assessment. The risk management and strategy disclosure obligations align with that belief by requiring the disclosure of how the company uses a risk assessment strategy to build its security program. Aside from asserting that these disclosures would give threat actors a roadmap for attacking the company, few commenters focused on the challenges of providing accurate and meaningful disclosures about a security program. It is completely different than Item 1A forward-looking risk factor disclosures. Finding the right balance in these disclosures may be the most impactful and challenging obligation under the proposed rules.
C. Governance and Oversight
Similarly, regardless of what form the final version of the proposed SEC rules takes regarding board and senior management oversight and cybersecurity expertise, the idea that boards and senior management need to play an active role in overseeing enterprise cybersecurity programs is neither novel nor controversial. Even without a related disclosure obligation, it would be hard to argue that boards and senior management should not consider and formalize processes for how they should perform such oversight (e.g., through committees) and how cybersecurity issues should be communicated to them and by whom. While some organizations may find that acquiring cybersecurity expertise at the board and senior management levels may be difficult to achieve in practice, it would be hard to argue that having such expertise would not enhance their ability to provide oversight of the security program.
BakerHostetler’s White Collar, Investigations, and Securities Enforcement and Litigation team and its Digital Assets and Data Management, Investment Funds, and Financial Services teams are comprised of dozens of experienced individuals, including attorneys who have served in the Department of Justice and at the SEC. Our attorneys also possess extensive regulatory compliance, incident response, and information security experience (including as CISOs for various types of businesses) who can help public companies, investment advisers, and broker-dealers understand what this alert means to their business. If you have any questions about this alert, please feel free to contact any one of our experienced professionals.
[1] The SEC noted that the definition of “material” would be consistent with existing case law; namely, if there is a substantial likelihood that a reasonable shareholder would consider the information important in making investment decisions, or if the information significantly alters the “total mix” of information made available to investors, the SEC would deem the information material.
[View source.]