On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. The Rules also address periodic disclosure of cybersecurity risk management practices, strategies, and governance. The Rules go into effect in December, 2023, the exact date to be determined as of the day the final Rules are published in the Federal Register.
My perspective on the Rules is somewhat unique. I am a Cravath-trained securities lawyer who also was trained as a cybersecurity lawyer by one of the top defensive cybersecurity groups in the world – the Bank of America Global Information Security group. Ever since the Rules were proposed, I have been thinking about how public companies would comply with the final Rules. This will be harder than almost everyone suspects for a key reason – the language of securities lawyers is fundamentally different than the language of cybersecurity professionals. Moreover, cyber forensic investigators speak a third language that is precise, but may not be well understood by people outside of the forensics community.
The primary focus of this article is steps a company should take to make required disclosures without running afoul of the Securities Exchange Act. Section 240.10b-5 (commonly referred to as “Rule 10b-5”) prohibits fraudulent or deceptive acts or omissions in connection with securities. Relevant for our purposes here, Rule 10b-5 states that it is unlawful “[t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading.” Disclosures concerning the precise facts known, or unknown, about an incident at any given time, as well as clear and materially accurate representations of a company’s cybersecurity practices will become paramount under these new SEC Rules.
There are six things that a public company can do now to prepare and implement the Rules in a structured manner to reduce the risk of non-compliance.
1. Add a lawyer cross-trained on cybersecurity and securities disclosure to the internal and external incident response and risk management teams.
Incidents move very quickly and evolve rapidly. What a company believes happened at the beginning of the incident is likely to be incorrect, or at the very least, imperfect. Incident response lawyers primarily focus on privacy breach notification requirements and the legal issues associated with ransom payments.
Forensic investigators will tell you what they observe based upon available logs, but they should not be speculating on what may have occurred – that is not their function, except in limited circumstances. Someone who speaks both the language of securities disclosure and the language of cybersecurity incident response is necessary for interpreting the known or suspected factual findings to make timely – and perhaps most importantly, accurate – disclosures. This lawyer should also be added to the cybersecurity risk management teams, including those that oversee cybersecurity assessments and internal policies and procedures.
2. Draft incident disclosure language to cover the most prevalent and anticipated incidents.
During a major incident, there will be tremendous confusion. If a company has not considered the disclosures necessary in a Form 8-K long before the incident occurs, the teams that are addressing the incident may be pulled into a complicated securities disclosure drafting process.
Issues, such as potential loss of customers and large contracts, disruption to operations caused by the attack or remediation efforts, changes to controls necessary for future protection against existing control failures, lawsuits, and regulatory actions will all have to be considered. It is far better to work through what the company will say in advance of the major types of incidents likely to occur (i.e., ransomware, network penetration with lateral movement and privilege escalation, data exfiltration, DDoS attack, and other business interruption). The draft disclosures will need to be revised based on the facts as they are observed and reported by the forensic investigators.
3. Appoint a technical person as a securities incident and risk management disclosure technical adviser.
This person should be separate from the main incident response team, which will be focused on the investigation and remediation of the incident. The technical person needs to be cross trained on securities law, so that they are able to help interpret the forensic investigator report for the securities disclosure team, as well as play a similar role in drafting the cyber risk management and governance disclosures.
4. Use the FIPS 199 to develop a materiality analysis.
Federal Information Processing Standards Publications (“FIPS”) 199 is a technical document produced by the National Institute of Standards and Technology (“NIST”). It sets out cybersecurity standards that federal agencies, including the SEC, are required to follow. Although FIPS 199 generally does not apply to commercial entities, it contains the definitions from Federal law of “Confidentiality,” “Integrity,” and “Availability,” plus definitions for impact levels of “Low,” “Moderate,” and “High.” FIPS 199 provides a structured way to interpret the potential risks. This will provide a defensible position on key portions of the materiality analysis.
5. Include a communications team in the incident response plan.
Brining on a communications team after an incident has been determined to be material is likely too late. During an incident, disclosures may need to be made to multiple parties, including customers, third parties, regulators, affected individuals, and potentially, the public. Coordination of these communications becomes particularly important with specified public disclosures being required under the Rules. Ensuring securities law compliance in all communications is of particular importance during a major incident.
6. Review third-party agreements immediately.
Many third-party agreements, especially with large service providers (such as cloud providers, banks, SaaS providers, and other providers with significant market power), do not have contracts with robust incident reporting language that would allow customers to easily make materiality determinations relating to cybersecurity incidents that take place in the provider systems. Although the SEC did not require particular contract language that registrants must use with third parties, some may have contract language that supports notifications, and it is not currently clear how the SEC and plaintiffs attorneys will view differences in the timing and content of public notifications related to service providers with large scale incidents, where some companies file 8-Ks and others do not. Companies may also choose to use FIPS 199 to internally categorize the risks from service providers to help focus the analysis of contracts. In addition to contractual provisions, companies may establish monitoring of service providers that are categorized with a potential “High” impact for news and social media reports of cybersecurity incidents.
The SEC is requiring companies to file disclosures relating to cybersecurity. A key risk is that the disclosures will contain material misstatements or fail to disclose material information. The gap in language and understanding between the securities reporting teams and the cybersecurity teams is so large that cross training and a highly structured approach to communication and interpretation are necessary for public company risk management in cybersecurity disclosure.
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved, on a 3-2 vote, final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”).