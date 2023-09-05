Alisa Chestler is a shareholder with the local office of Baker Donelson, serving as chair of the firm’s data protection, privacy and cybersecurity team. She concentrates her practice in privacy, security and information management issues; health information and technology; health care and managed care regulatory issues; and corporate transactions matters.
Chestler recently spoke with the Post regarding Securities and Exchange Commission rules involving cybersecurity.
What are the new SEC rules regarding reporting "material cybersecurity incidents"?
The new SEC final rules require public companies, in most cases, to report “material cybersecurity incidents,” which includes everything from malicious hacker attacks to technical issues that cause concerns for company operations. The rules are in effect as of Tuesday, Sept. 5. The SEC, in issuing the final regulations, requires registrants to disclose, in the form of an 8-K, any material cybersecurity incident within four business days after the registrant determines that the incident is material. The report must include the material aspects of the event, including the nature, scope and timing. The report must also explain the material impact or reasonably likely material impact on the registrant.
There are many different specific considerations for reporting, and companies must make a concerted effort to understand how incidents impact their financial condition and operations. For example, a two-day outage of a system may be material in certain cases and not material in other cases depending on the system, controls and business continuity operations. Additionally, the loss of significant intellectual property, asset losses and other impacts to the value of the business would also factor into the materiality analysis.
There are many important nuances to the new rules. Companies are not expected to provide technical details regarding the issue, especially in light of a malicious attack, as there are clear concerns regarding the ability of a malicious actor to pivot before important evidence can be collected. With that said, there are numerous considerations that each company will want to plan for and think through in advance. Given the very short timeline, the importance of solid planning cannot be understated.
What types of companies are affected?
First and foremost, the federal regulations focus on public companies, those registered with the Securities and Exchange Commission. However, to some degree, this will have an impact on all companies, not just those that are public companies regulated by the SEC. Public companies will need to think through and consider what contractual obligations will need to be placed upon their subcontractors and vendors to ensure that the public company can fulfill its obligations under the new rules.
By way of example, if a critical vendor is unable to provide access to a platform with the information that is needed “real time” to continue operations, the public company will want to make sure the contract obligates the vendor to provide as much information as soon as reasonably possible to assist with the reporting requirements.
The effects of the rules will be very different for different organizations. For example, some companies that may be involved in national security may have to work within a specific set of rules that apply to companies for which a notification could present national security concerns.
What is a cybersecurity event notification and why is it important for businesses to take note?
Event notification is only one part of a larger thought process with regard to incident response and cybersecurity concerns as a whole. Although much of the attention for the new rules is focused on notification of cybersecurity events, the reality is that preparing for the eventuality of an event itself must be adequately understood and addressed. Good security governance and controls should go a long way in preventing the occurrence in the first place. Too many of our clients who suffer such an event would have told you that such an event “was not possible” days before the event actually occurred.
What information must be reported?
Given the short timeframe and the potential for changing facts, companies should consider that there may be several filings and updates as the facts become clearer. Companies will want to avoid speculation, and this may be difficult given the short timeframe. To the extent known at the time of the filing, the registrant will need to provide the following information to their shareholders and the public:
• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
• The effect of the incident on the company's operations; and
• Whether the company has remediated or is currently remediating the incident.
Remember, for certain events the very information reported will likely be repeated back in any shareholder litigation or other breach lawsuit. Striking the balance regarding too much and too little information will be an arduous balancing act.
What should companies do now?
First, companies need to make sure they have reviewed the law and integrated these issues into their current incident response plan. If the company doesn’t have an incident response plan, it should work with its attorneys and external experts and resources to put one in place as soon as possible. The incident response plan should be practiced no less than four times per year to ensure that the management team, IT team, legal and risk team have had a chance to consider the numerous and very different scenarios that could occur.