On the Horizon: Finalized SEC Cyber Rules for Public Companies Expected in April
On March 9, 2022, the Securities and Exchange Commission (“SEC”) issued proposed rule amendments that would mandate certain cybersecurity disclosures for public companies (“Proposed Rules”). While the comment period for the Proposed Rules originally closed on May 9, 2022, later that year on October 7, 2022, the comment period was reopened until November 1, 2022. Now, based on the Office of Management and Budget’s Office of Information and Regulatory Affairs website, finalized rule amendments (“Final Rules”) are expected as early as April 2023.
We discussed the Proposed Rules in greater depth in our past coverage, but as a summary, the Proposed Rules would require that registrants:
- Determine the materiality of a cybersecurity incident “as soon as reasonably practicable after discovery of the incident” and then, if material, disclose information about the incident on Form 8-K within four business days of the materiality determination;
- In Forms 10-K and 10-Q, include updated disclosures on previously disclosed incidents; and
- Disclose certain aspects of their cybersecurity risk oversight policies and procedures.
Comment Letters Reflect Different Visions for Federal Regulation of Cybersecurity
Comment letters on the Proposed Rules reveal different visions for how the federal government will regulate cybersecurity and balance the benefits and risks of disclosure. If adopted, the Proposed Rules would require disclosure of a breach on a faster timeline than other data breach laws and regulations, which often permit delays in disclosure when an incident is under law enforcement investigation. Since disclosure under the Proposed Rules would be public, the Proposed Rules would render irrelevant the disclosure delay options contained in other data breach disclosure laws and regulations. Some commentators have criticized the Proposed Rules with respect to this point.
For example, Senator Rob Portman submitted a comment letter criticizing the Proposed Rules for their differences with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Under Senator Portman’s view, to align with CIRCIA, the SEC’s Proposed Rules should include an exception to disclosure obligations for ongoing law enforcement investigations. This same concern over the role of the SEC in cyber regulation was expressed by SEC Commissioner Hester M. Pierce, who, in her dissenting statement on the issuance of the Proposed Rules, argued that the Proposed Rules “flirt with casting [the SEC] as the nation’s cybersecurity command center, a role Congress did not give us.”
In addition to the concerns over the role of the SEC in regulating cybersecurity, there are fears that disclosing details of a cybersecurity incident may increase risks to the disclosing company. Since filings with the SEC are public, disclosures about an incident or a company’s cybersecurity policies would be accessible to hackers. With hackers having this additional information, the SEC acknowledges that the Proposed Rules “could potentially increase the vulnerability of registrants, imposing a cost on them and their investors.” In addition to this concern, industry groups have criticized the four-day reporting requirement and advocated giving smaller entities additional time to comply with the requirements if implemented.
Despite these concerns, some commentators have expressed their support for the Proposed Rules, including a bipartisan group of seven U.S. Senators. In their comment letter advocating for the adoption of the Proposed Rules, the seven U.S. Senators praised the increased visibility into a company’s prioritization of cybersecurity measures and the prompt notice requirement of cybersecurity incidents.
New Notice of Proposed Rulemaking
While the SEC has not yet released Final Rules governing the cybersecurity disclosures of public companies, on March 15, 2023, the SEC issued three notices of proposed rulemaking addressing minimum cybersecurity requirements of various entities subject to the SEC’s regulation apart from its regulation of public companies:
- The Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Release would extend the scope of the Safeguards Rule (Regulation S-P, rule 248.30(a)), as well as require brokers, dealers, investment companies and investment advisors to adopt written policies and procedures for incident response to unauthorized access of customer information;
- The Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents Release would amend existing recordkeeping rules to require these regulated entities to adopt certain cybersecurity risk management policies and procedures and immediately notify the SEC of significant cybersecurity incidents; and
- The Regulation System Compliance and Integrity Release would expand the definition of a Systems Compliance and Integrity entity to include a broader range of market participants, as well as amend provisions relating to cybersecurity and vendor management.
Steps Public Companies Can Take to Prepare
To prepare for the anticipated Final Rules, public companies should review their current information security preparedness and consider adopting a popular cybersecurity standard, such as ISO 27001 or NIST CSF. Also, companies should review their cybersecurity and information technology policies, including information security policies, incident response plans, disaster recovery plans, and business continuity plans. In light of the Proposed Rules, public companies should ensure that they have procedures in place to accurately convey the details of an incident from the team conducting the investigation to the team responsible for making public disclosures related to the incident. If internal teams do not communicate effectively, this could result in the SEC taking action for a company’s failure to update its public disclosures to address a data breach or other cybersecurity incident in a timely manner.
Once policies and plans are in place, testing is key. Companies should consider undergoing an audit of their implementation of a cybersecurity standard. Additionally, penetration tests and other external cyber risk assessments of a company’s systems may help to identify vulnerabilities and close gaps in cybersecurity preparedness.
When experiencing a material cybersecurity incident, public companies should have disclosure controls in place to ensure that material information about the incident is shared in real time with the executives responsible for the company’s SEC disclosures. Companies should be prepared to disclose:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
Cybersecurity attack simulations involving multiple stakeholders may help a company prepare for a future cybersecurity incident and the associated disclosures. Effective cybersecurity risk management depends on employees from different departments collaborating across a business. Information security, accounting, and legal professionals may all be involved in the incident response and disclosure process.
V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.