“Material Cybersecurity Incident” Standard Will Have a Monumental Impact on Current Cyber Disclosure Requirements
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule. If you are a public company subject to the reporting requirements and you collect or process data, this rule applies to you.
Overview of New Rule, and a Hypothetical
Because most companies who collect or process data, whether it be via an app or a website, regularly have cyber incidents, the new rule will have a broad and lasting impact on current disclosure requirements. To be sure, the SEC has already brought enforcement actions against companies for failure to adequately disclose cyberattacks, but this rule attempts to harmonize disclosure requirements and gives the agency more teeth to bring enforcement actions in more nuanced situations.
The impact of the rule is best borne out by a proposed hypothetical: Under the former disclosure regime, if an unauthorized user accessed, for example, five rows of personal data including first name, last name and email address, the company’s incident response team would evaluate the breach under the state and federal disclosure laws, conclude that the incident was not a breach under state or federal law (most state laws do not define a breach to encompass first and last name and email address), and then turn to an analysis of any contractual disclosure obligations. The result of this would mean the company did NOT need to disclose the event to the SEC.
With the new rule, the bar for reporting is much lower.
“Material Cybersecurity Incident” Borrows From Other Cases
The rule now requires reporting not just a breach, but any “material cybersecurity incident.” Cybersecurity incidents are ubiquitous. An employee sends a set of login credentials to the wrong customer—that is a cybersecurity incident. A customer provides a row of data that improperly combined the information of two separate people and now a single user can see the information for both people—that is a cybersecurity incident. A penetration tester gets past a firewall—that is a cybersecurity incident.
The operable question then becomes: What raises a security incident to the level of a “material cybersecurity incident”?
To answer this question, the SEC has adopted the materiality standard applied in more traditional securities fraud cases and regulations, including TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011); 17 CFR 230.405 (Securities Act Rule 405); and 17 CFR 240.12b-2 (Exchange Act Rule 12b-2). Specifically, “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’ ‘Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.”
If a “material cybersecurity incident” occurs, the registrant must file a Form 8-K and complete the newly added Item 1.05 that requires the disclosure of the following information:
- when the incident was discovered and whether it is ongoing;
- a brief description of the nature and scope of the incident;
- whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
- the effect of the incident on the registrant’s operations; and
- whether the registrant has remediated or is currently remediating the incident.
Material cybersecurity incidents are to be reported within four business days of determining the incident was material. The filing can be delayed if the U.S. attorney general determines immediate disclosure would pose a substantial risk to national security or public safety. Additionally, an amendment to Form 8-K is required with information not determined or unavailable at the time of the initial Form 8-K filing. Notably, although commenters on the proposed version of the SEC’s new rule raised concerns about being forced to publicly report on an incident while the attack was ongoing—thus informing the attackers of the company’s knowledge of the attack, and/or reporting on the company’s remediation efforts, setting itself up for future attacks—the SEC did not seem to address this concern in the final version of the Rule.
The effect of this standard is that the SEC will have a low threshold to argue a disclosure was material; indeed, the practical reality is that if the SEC is investigating a company for alleged misrepresentations or omissions connected to a cyber event, it is likely to uncover previous related but minor events that the SEC will argue should have been disclosed. The potential of these sorts of follow-on charges, which will lead to higher fines and penalties on companies who have a cyber event, will have two behavioral effects:
- Although some companies may take a wait-and-see approach by watching how other companies report (especially competitors), an increased number of registrants reporting cyber “incidents” leading to more frequent public reporting and self-reporting—and in turn, more private 10b-5 litigation and derivative actions filed against companies as plaintiffs’ lawyers search and police public company filings—is also likely.
- Increased indemnification costs will be passed on to cyber companies to protect contractual third parties who rely on cyber companies to provide services around enterprise security and IT services. This in turn will drive up the cost of enterprise risk insurance premiums and lead to companies allocating greater resources to preventing and mitigating cyber risk.
By consequence, the potential of the new cybersecurity rule to shape corporate governance has some parallels to the SEC’s climate disclosure rules. Some critics have argued that SEC Chair Gary Gensler is not only policing disclosures but shaping the way that companies undertake their business. Even SEC Commissioners Hester Pierce and Mark Uyeda dissented, with the former Pierce noting, “Today’s rule . . . reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics.”
Congressional Outlook
The timing and breadth of this rule is notable. SEC Chair Gensler has already found himself in hot water in front of Congress on other proposed disclosure rules related to issues such as climate and environmental social and governance (ESG) reporting. Indeed, following a recent hearing before the House Financial Services Committee (HFSC), Chairman Patrick McHenry (R-NC) said, “There’s a massive amount of change that [Gensler] is trying to drive and it has a lot of expense in the markets and he’s given a limited amount of time for actually good comment. So we’re going to have shoddy rules that are very expensive on a market at a time where the rest of the world wants to take our capital markets. I don’t think it’s a smart agenda.”
McHenry and other elected officials have accused Chair Gensler of flouting democratic principles, such as the major question doctrine, and usurping the traditional mission of the SEC, which is to establish orderly capital markets, in exchange for a “progressive” agenda. McHenry has already indicated that once Congress returns after the August recess, the HFSC will continue its focus on what the majority views as regulatory overreach at the SEC. In this vein, HFSC Republicans will continue to use their oversight tools to review far-reaching rules such as this and the climate disclosure rule.
The SEC’s new cybersecurity rule could also potentially be the subject of a Congressional Review Act (CRA) resolution, a procedure that provides Congress with a check on regulators’ rulemaking powers. Republicans in the House and Senate have advanced CRA resolutions challenging several Biden administration rules, sometimes even attracting support from moderate Democrats. However, CRA resolutions ultimately do not have a path to passage even if they are advanced by both the House and Senate. President Joe Biden has and will continue to veto any resolutions that reach his desk, and lawmakers do not have sufficient votes to reach the two-thirds majority requirement in each chamber to overturn a presidential veto. Still, they serve as a clear message of members’ disapproval of a targeted rule.
Preparing for Implementation
The new rule will become effective 30 days after publication in the Federal Register. Registrants other than small reporting companies must begin complying 90 days after the date of publication in the Federal Register, or Dec. 18, 2023, whichever is later. Smaller reporting companies must begin complying 270 days after the date of publication in the Federal Register or June 15, 2024, whichever is later.
The rule will also require all registrants to provide annual disclosures beginning with annual reports for the fiscal year ending on or after Dec. 15, 2023. The rule requires registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. The rule will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Due to jurisdictional bars around standing and injury, it is unlikely we will see litigation against the rule until its requirements become effective. Companies who are subject to this rule in the meantime should work with outside counsel to design an incident response team (“IRT”) incident classification process to address and evaluate incidents. Companies also should develop an incident classification process to evaluate and distinguish incidents from vulnerabilities, the latter of which should not be reported.
In turn, those companies should have a protocol addressing the potential monetary impact of an incident and an “off-hours” process to route those evaluations in a timely and responsive manner. Regardless of the implementation of the rule, these are the sort of best practices necessary to meet the four-day reporting deadline.
This document is intended to provide you with general information regarding the SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.