SEC's Newly Approved Cybersecurity Rule Necessitates Rapid Incident Disclosure from Public Companies

Public companies face a race against the clock to implement policies and practices to comply with the Securities and Exchange Commission's (SEC) recently approved cybersecurity incident disclosure rule. The 186-page final rule, passed last week, seeks to provide investors with faster access to crucial information about material cybersecurity incidents.

The new rule builds upon previous guidance issued by the SEC in 2011 and 2018, aiming to address the inconsistent disclosure practices observed across companies. A fact sheet released by the agency stated that while risk reporting and management have improved over time, there remains a lack of uniformity in disclosure practices, which the new rule intends to rectify.

Under the updated regulation, companies impacted by a cybersecurity incident must swiftly assess its materiality. If deemed material, the company is obliged to publicly disclose the incident's nature, scope, timing, and impact.

Furthermore, public companies must submit an annual report to the SEC detailing their policies and practices for identifying and addressing cyber risks. This report should outline the roles of management and the board in the cybersecurity process and provide an assessment of the potential material impact of cybersecurity risks on the company, as well as any material risks that have resulted from past cyber incidents.

The rule will become effective 30 days after its publication in the Federal Register. While incident disclosure requirements for large companies and foreign issuers may take effect as early as December, smaller reporting companies will be given an additional 180 days to comply. The obligation for annual reporting disclosures will commence with reports for fiscal years ending on or after December 15, 2023.

Shardul Desai, an attorney specializing in cybersecurity, data privacy, and white-collar defense and government investigations at law firm Holland & Knight, foresees challenges for companies grappling with cyber threats. He points out that during the incident containment and mitigation process, companies must also determine the materiality of the incident, making it a daunting task.

The SEC has explicitly stated that companies should make this materiality determination "without unreasonable delay following discovery." However, Desai notes that the agency expects companies to reach a decision about materiality within a week, indicating some flexibility.

Desai further explains that if a cybersecurity incident is deemed material, a countdown of four days begins for the company to draft an 8-K filing and ensure accurate information dissemination.

"The difficulty is, when did you get to that point? The rule invites a lot of second-guessing from the SEC," Desai says, alluding to potential scrutiny of whether companies disclosed the incident quickly enough or perhaps too hastily before obtaining sufficient and accurate information to make an informed materiality decision.

Desai advises companies to proactively develop internal policies and procedures for materiality determination, including defining responsible personnel and reporting protocols. He also emphasizes conducting due diligence with third-party vendors concerning cyber risks to facilitate efficient information access in the event of an incident.

In contrast, Dominique Shelton Leipzig, a partner at law firm Mayer Brown, views the new rule as an opportunity for companies and boards to demonstrate their cyber prevention programs to investors. Starting in December, companies will submit information about their cybersecurity programs to the SEC, allowing investors to compare different cyber policies and practices to assess a company's preparedness.

Leipzig suggests that boards should prioritize their understanding of cybersecurity policies, privacy rights, and artificial intelligence, given the increasing demand for board accountability. She advises boards to question how they receive information about their company's cybersecurity policies and practices and their fiduciary aspects.

"This can be critical information for boards to have to avoid problems," Leipzig says, highlighting the importance of informed decision-making at the board level.

With ample time for preparation, both companies and boards have the opportunity to elevate their cybersecurity policies and procedures. Companies must act diligently to comply with the new requirements and ensure transparent and efficient incident disclosures for the benefit of investors and stakeholders alike.

By fLEXI tEAM