On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.
The proposed rules will be open for public comment until May 9.
Know the Terminology
The proposed rules would require a public company to make a Form 8-K disclosure of a “material cybersecurity incident” within four days. A Form 8-K is a notification to shareholders of specific events. If an organization needs to file a Form 8-K but does not, the consequences could be severe, including delisting. Other types of forms would be subject to more amendments (Forms 6-K, 10-Q, 10-K) as part of the proposed rule changes. Therefore, do not gloss over the definitions, because they outline scope and reporting rules. The wording is very specific.
- Cybersecurity Incident: an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein (footnote 48 of the proposed changes).
- Information Systems: information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of a registrant’s information to maintain or support the registrant’s operations (also footnote 48).
Responsible and affected parties should review the section titled “Examples of Cybersecurity Incidents That May Require Disclosure Pursuant to Proposed Item 1.05 of Form 8–K.” That will help you get a better sense of the scope. As you’ll see, the scope is in fact quite wide. Therefore, not only will publicly traded organizations be on the clock to report (as we shall discuss in a moment), but the wide scope could pose a resource challenge for some.
Four Days to Report
Perhaps one of the greatest pressures an organization will face is the four days to report. In the past, an organization may have been able to buy some time during the internal or external investigation phase. Instead, this pretty much puts a lid on any potential time-buying during that phase. The SEC concedes that delay in reporting may facilitate law enforcement investigations. It also says that “on the balance” timely disclosure of incidents cannot justify delayed information to investors.
So many events fall within the defined scope of “cybersecurity incidents”. Will filing a Form 8-K become a daily task? The key is “materiality”, and, sadly, there is a bit of a grey zone.
Materiality Over Discovery
If you are an IT or cybersecurity worker, you might be wondering whether the lawyers should be the ones reading this. We would completely forgive you. However, you will also have a role to play. The emphasis on “materiality” over “discovery” makes perfect sense. So many cyber-related attacks happen today. A security operations center could discover an “incident” multiple times a day. “Materiality” is the difference, but its meaning is not clear.
Within Section II.B.1., there are some guidelines that rely heavily on securities case law. However, no clear and bright borders are made. For example, we see phrases such as “there is a substantial likelihood that a reasonable shareholder would consider it important” or “particularly in view of the prophylactic purpose.” Another says “thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors.” You will also find a whole bunch of footnotes and citations to case law.
The proposed rule changes even state that “materiality” could come at discovery, but in other instances, well after discovery. It is the “materiality” aspect that starts the clock on the four-day turnaround to report. This can get really wild if your artificial intelligence security solution makes the call one way and the human overrides it!
What Makes Materiality Important?
These rules will impact public companies, private equity firms and investment houses if they go into effect. That’s the case even if they are not impacted by the material incident directly. Here is why: investment decisions are impacted. Will a private equity firm change its trading portfolio position based on this reporting? It very well could. Many investors base their decisions on Form 8-K disclosures.
For private equity firms, what happens if an incident impacts one of their investments? That could impact its own reporting. This can get tricky if the portfolio is wide, diverse and lacks any common criteria for business impacts. In the end, all of those things could inform the decision.
Knowing what matters to your organization is both art and science. You will need some multi-stakeholder input. As we discussed in the organizational resilience series, you need to keep an eye on thresholds, impact matrices and escalation triggers included in your business continuity, disaster recovery and crisis management processes. We noted how important it is to ensure the technology owners and business owners are working together to determine criticality and recovery strategies. Well, time to leverage that work and add one more stakeholder: legal counsel (including your external counsel).
Working together, these parties can come together and make reasonable determinations on what a future “material cybersecurity incident” looks like. In doing so, the spirit of the proposed rule changes will likely be met, or at least be defendable. If you are a leader of a publicly traded company, remember, if something goes afoul, after the SEC is done with you, there may be a congressional hearing in your future. If your organization makes a conscious decision to not deem a cybersecurity incident a material one (and therefore not report it), you are going to have to be able to defend that position. Using your criticality matrices – if well-crafted with appropriate stakeholder input – may minimize the pain. And that gives you the chance to win back some of your lost investor confidence.