July 31, 2024 - Cybersecurity is at the top of everyone's mind and budget, but the legal and regulatory compliance landscape is often unclear. As a result, the following questions are usually, "What does it mean practically to be compliant, and what laws require that compliance?" "What are companies required to do?" "What best practices should a company follow even if not required?"
The SEC's Cybersecurity Guidelines ("Guidelines"), which took effect in September 2023, are a beneficial resource, even though they are not always directly applicable to private companies.
The Guidelines apply only to U.S. publicly traded companies and FPIs. An FPI is any foreign issuer other than a foreign government, except for an issuer that (1) has more than 50 percent of its outstanding voting securities held of record by U.S. residents and (2) any of the following: (i) a majority of its executive officers or directors are citizens or residents of the United States; (ii) more than 50 percent of its assets are located in the United States; or (iii) its business is principally administered in the United States. 17 CFR 230.405. See also 17 CFR 240.3b-4(c).
Under the Guidelines, companies must disclose all material cybersecurity incidents. Domestic entities must make their disclosure by filing a Form 8-K within four business days of determining the incident is material. FPIs must promptly provide the necessary disclosure on a Form 6-K after the incident is disclosed or required to be disclosed in an overseas jurisdiction.
The materiality standard is similar to that used for other Form 8-K disclosures under U.S. securities laws for all entities. That being said, would a "reasonable investor" believe that the incident would materially affect a decision to invest, considering the immediate and long-term effects on operations, finances, brand reputation, and customer relationships?
Required disclosures must include the nature, scope, and timing of the incident, along with a description of the actual or reasonably likely impact, including the effects on the company's financial condition and operations. Specifically, when was the incident discovered and is it ongoing; a brief description of the nature and scope of the incident; whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; the effect on the company's operations; and whether the company has remediated or is currently remediating the incident.
Objections to cybersecurity reporting requirements
One of the first objections to these requirements is the concern that disclosure will expose a company's internal technical trade secrets or expose the network to additional attacks. However, specific technical information about the company's cybersecurity systems, networks, devices, planned response, or potential additional vulnerabilities do not need to be reported.
Second, breach notifications must be provided after a Company determines the breach is "material." However, Chief Information Security Officers (CISOs) often cite uncertainty around the meaning of "material" in the context of a data breach.
The Supreme Court offered some guidance on this standard in Basic, Inc. v. Levinson, holding the materiality requirement is satisfied when there is "a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the "total mix" of information made available.'" 485 U.S. 224, 232 (1988) (quoting TSC Industries, Inc. v. Northway, Inc., 426 U. S. 438, 449 (1976)).
More recently, the Court further clarified that no bright line rule exists. However, that materiality does not necessarily require reporting every adverse event. Instead, parties must weigh the "total mix" of events to determine what a reasonable investor would find material. Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 27 (2011). Generally, doubts around materiality should be resolved in favor of protecting investors.
In the context of data breaches, it is sometimes blatantly obvious that a breach is material — unauthorized disclosure of a Company's entire dataset or a large volume of sensitive information is almost certainly material. But what if the breach relates to the information of a small number of users? Or if the breach was remediated immediately so that the risk of adverse effects to individuals is low? In any breach, making this materiality determination on a case-by-case basis and, in a way, defensible under any future review will be necessary.
Third, in almost all circumstances, more time than four days after determining a breach is material is needed to confirm the details and scope of a breach, understand its impact, and coordinate the required notifications. The timing of notice may be delayed under limited circumstances but is generally considered a firm deadline. For example, a company may delay filing notice of the incident if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.
Finally, companies are expected to provide details on board proficiency in cybersecurity. This challenges many boards as even if they have individuals with high-level expertise in the field, those directors are often not intimately involved in the organization's day-to-day activities.
Why consider the guidelines as a private company?
While the SEC Guidelines only directly apply to public companies, they may be indirectly applicable or a necessary future requirement. Because most public companies rely on many smaller third-party software and supply chain companies, and a cyberattack at any point along that chain could have a material impact on the public company, the companies down the chain — whether public or not — should also familiarize themselves with the new regulations.
Similarly, if a company intends to go public, one of the necessary hurdles will be ensuring compliance with the Guidelines.
Even if the company does not service public companies and never intends to go public, the Guidelines provide a valuable benchmark for one view of best practices for reporting. Adapting these rules to the private company's circumstances can make it more difficult for plaintiffs to successfully allege that the company acted negligently after a breach.
Private companies can also be caught under the SEC's authority while working with public companies. For example, in a recent lawsuit involving the private law firm Covington & Burling, the SEC demanded the names of clients caught up in a 2020 cyberattack on the firm. Ultimately, Covington agreed to turn over six of seven names to the regulator. The seventh continued to resist disclosure on its own.Securities and Exchange Commission v. Covington & Burling LLP, No. 1:23-mc-00002 (D.D.C. filed Jan. 10, 2023).
In another recent example, the SEC displayed its willingness to charge private companies when it brought an action against Monolith Resources, a clean energy company.
Monolith was charged with violating whistleblower protection rules as it had allegedly limited employees from "recover[ing] money damages or other individual legal or equitable relief awarded by any such governmental agency." However, employees could report wrongdoing to agencies. "SEC Charges Privately Held Monolith Resources for Using Separation Agreements that Violated Whistleblower Protection Rules," SEC Press Release, Sept. 8, 2023.
Practical next steps for cybersecurity whether or not you apply the guidelines
Faced with the SEC's watchful eye and the ever-increasing importance of cybersecurity for all companies, specific practical considerations are worth evaluation:
- Companies must proactively address cybersecurity. This begins with a knowledgeable and invested board of directors who understand cyber-risk management. The Board ideally would include a cybersecurity expert but would, at a minimum, have experts with whom it consults.
- The Board must appoint a C-suite member willing to delve into the company's cybersecurity strategy and risk management. This will include naming a Chief Information Security Officer (CISO) with experience appropriate to the industry, data used by the company, and the company's size.
- The individual responsible for cybersecurity, most often the CISO, should be covered under the Directors and Officers liability insurance.
- The Company must offer training on and must test application of all components of its cybersecurity framework.
- Cyber-resilience and cyber-threat response preparedness often require significant investment, which companies should not shy away from without reason.
- A company's security, resilience, and preparedness must be honestly assessed, often by a neutral third party, and that assessment must be routinely re-evaluated as the company, its personnel, and the threat landscape are all constantly evolving.
- Business planning, supply chain preparedness, and continuity planning are indispensable because threats must be considered expected and inevitable, not as uncertain.
- Recognizing that a company is only as protected as its weakest link, cyber policies, procedures, and practices should be extended to all related third-parties, including vendors, suppliers, parents, and working affiliates. This will often happen through contract provisions, direct obligations, indemnification provisions, or all of the above.
- Because legal requirements and best practices are continually evolving, companies must also continually test the adequacy and effectiveness of cybersecurity policies and procedures and update them to ensure compliance with all applicable regulations, laws, and best practices.
Originally published by Reuters.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.