Balancing risk and compliance: implications of the SEC’s new cybersecurity regulations

Corporate cybersecurity is becoming a non-negotiable priority. How companies prepare for and defend themselves against cyber intrusions has profound implications for their operations, reputation, and bottom line. Companies have historically underestimated the magnitude of cybersecurity risks, and in the view of the US Security and Exchange Commission (SEC), they have consistently underreported material losses caused by cyber intrusions.

Things have changed. The SEC has just taken steps to ensure that public companies are not just aware of their cybersecurity risks but taking steps to manage them on behalf of their shareholders and promptly report what in practice will be the vast majority of incidents.

The new SEC security regulations

The SEC’s new rules are aggressive and intended to enhance accountability and transparency, require covered companies to disclose material cybersecurity incidents within four business days and mandate periodic disclosure of a company's cybersecurity risk management, strategy, and governance in annual reports. This represents a profound regulatory shift in how businesses are now required to manage their cybersecurity risks and is a testament to the growing recognition of cybersecurity as a core component of adequate corporate compliance.

The newly introduced Form 8-K Item 1.05 mandates companies disclose “material cybersecurity incidents” and “material aspects of the incident’s nature, scope, timing and impact on operations, revenues or stock price. New Regulation S-K Item 106 requires companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance. In particular, the SEC now requires companies to describe their processes for "assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant."

The SEC's move marks a significant departure from its previous regulations that did not contain similar requirements. Arguably one of the most important takeaways from these new rules is the requirement for companies to create a written record documenting their cybersecurity program. The practical impact of this requirement is to allow shareholders, the SEC, and, of course, plaintiffs' lawyers to obtain evidence reflecting a company’s commitment to managing its cybersecurity risks. It provides a foundation for holding accountable companies that fail to manage these risks properly.

Satisfying these new requirements will not be a simple task. Below are the primary challenges that we anticipate.

SEC cybersecurity rules put boards of directors on the spot

Item 106 also requires companies to "describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats." Effective compliance, therefore, extends well beyond simply creating a document to submit to the SEC. It requires companies to understand that just having policies and controls in place is not sufficient to show that their boards are exercising appropriate oversight of the cybersecurity program. While such policies, controls, and governance are critical, the board must also be able to demonstrate that they have conducted an independent assessment of the current landscape, including gaps that need to be addressed, and that they are receiving information and adequately demonstrating effective oversight and governance of management’s cybersecurity programs and the associated risks.

Disclosing incidents without tipping off attackers

Equally important, the most effective regulatory filings will strike the right balance between complying with the rules and limiting any extraneous technical information that could tip off cybercriminals about existing gaps or provide them any unnecessary advantages from past lessons learned.   

The new rules effectively require directors to put in place robust written documentation as tangible proof of compliance. They also require devoting substantial additional resources to the task while using the time of internal security teams who are inundated with other legal notification requirements and stretched thin with their duties.

During a cyber breach, extremely difficult decisions will need to be made within four business days as to if, when, and what to disclose - potentially while the company is still investigating the scope of the intrusion and trying to ensure the threat actor has been totally evicted from the company’s systems. Done improperly, the required early disclosure can have unintended negative consequences, including confusion in the market and potentially providing the attacker a primer on what the company knows - and has yet to discover - about an ongoing event. In turn, the threat actor can react in harmful ways, such as modifying their TTPs and taking new measures to prevent the company from executing effective remedial measures.

How to define a material incident

Still, another vexing question in the context of these new reporting requirements is what constitutes a “material” incident. As a matter of securities law in the context of cybersecurity, there is scant guidance. Companies are left to rely on prior guidance about the definition of “materiality” in non-cyber contexts from decades ago. For example, the guidance states that an error or omission is “material” if there is a “substantial likelihood that the ... fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” (For example, see TSC Industries v. Northway, Inc. 426 U.S. 438, 449 [1976].)

The uncertainty of the precise meaning of “materiality” in the context of cyber events suggests that the SEC will be looking to initiate enforcement actions under the rule claiming companies “failed” to properly and timely disclose and that the plaintiffs’ bar will similarly be looking for targets for civil litigation in the wake of cyber incidents.

Balancing compliance against protecting sensitive information

Guaranteeing that sensitive information is protected while ensuring companies demonstrate compliance requires the striking of a delicate balance. Consideration of how and when the attorney-client privilege - both the one that belongs to corporate communications and one that can be exclusive to the board - comes into play when conducting internal policy and reporting reviews, preparing draft reports that identify gaps and suggestions for closing them, determining what external vendors to use and communications with them, and related aspects of cyber readiness. These issues are heightened in the context of responding to an actual intrusion where the company’s internal and external legal function, CISO, and forensic vendors play a critical role, especially in the first several hours and days following discovery.

Review of cyber compliance tools and services

Recognizing the complex challenges presented, companies and their boards should consider and deploy enhanced tools and services to demonstrate that they are meeting their cybersecurity obligations. Cyber compliance tools and services must be designed with customization in mind. The goal is not simply meeting new regulatory requirements but enhancing overall security posture.

For example, tabletop exercises are simulated scenarios designed to evaluate a company’s response to potential cybersecurity incidents and identify potential regulatory and legal gaps in its security posture. These exercises are customized for each company involving relevant stakeholders, including board members, HR, business, legal, IT, risk, compliance, and operations teams. Crucially, these exercises are conducted by independent third parties and offer tangible evidence of compliance with cybersecurity regulatory obligations.

The new SEC rules signal a shift in corporate cybersecurity management. These rules, although challenging, offer an opportunity for companies to exhibit their commitment to managing these risks. With the right tools, services, and advice, businesses can not only comply with these new rules but also bolster their overall cybersecurity posture, thereby protecting their operations, reputation, and bottom line.

With contributions from Jennifer Deutsch, Director of Privacy Services at Law & Forensics, LLC, is a renowned privacy professional and licensed attorney focused on ensuring data security and privacy standards.

This content is intended for general informational purposes only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.