Beginning Monday, December 18, publicly traded corporations in the United States must follow a new set of guidelines requiring them to report “material” cyber events within 96 hours. The policy is a substantial change for enterprises, with many claiming that the new requirements expose them to additional risk and that four days is insufficient time to confirm a breach, evaluate its consequences, and organize notifications.
Regardless, companies that fail to comply—whether a newly-listed firm or one that has been publicly traded for decades—may face severe penalties from the Securities and Exchange Commission (SEC).
What information do companies require?
Firms must notify the SEC of cybersecurity events, such as data breaches, within four business days under a designated line item on a Form 8-K report, according to the new cybersecurity disclosure rules that the SEC first authorized in July. The guidelines, according to the SEC, are meant to boost visibility into cybersecurity governance and enable disclosure in a more “consistent, comparable, and decision-useful way” that would benefit both investors and firms.
“Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors,” said SEC Chair Gary Gensler at the time.
Breached businesses must detail the incident’s nature, breadth, date, and substantial effect, including financial and operational implications, in an 8-K form. Notably, the rule does not compel businesses to divulge any information “regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised,” since doing so might jeopardize current recovery attempts.
“This means that companies must have the proper controls and procedures in place to ensure that a materiality determination can be made once a cybersecurity incident is detected,” says Jane Norberg, a partner in Arnold & Porter’s Securities Enforcement Defense practice in Washington, D.C. “Practically speaking, companies will also want to consider having the incident response team in the procedural chain when making materiality determinations.”
“The rule also includes breaches of the registrant’s information that may be residing on a third-party system,” Norberg stated. This implies that a corporation will have to collect and evaluate information as well as make materiality assessments based on breaches of third-party systems.”
Smaller firms, defined by the SEC as having a public float of less than $250 million or annual sales of less than $100 million, will be granted a 180-day delay before filing their Form 8-K declaring an occurrence.
Larger corporations are also exempt from the four-day limit, a provision inserted after businesses warned that prematurely disclosing a cybersecurity vulnerability or event may impair current law enforcement investigations. According to the SEC, the disclosure might be postponed if the US attorney general finds that informing shareholders about the event “would pose a substantial risk to national security or public safety.”
The FBI will be in charge of collecting delay request paperwork and forwarding valid ones to the Department of Justice.
In addition to the SEC’s new data breach disclosure rules, the regulator has added a new line item to Regulation S-K called Item 106, which will be included on a company’s annual Form 10-K filing. Businesses must disclose their method “for assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also reveal their management’s capacity to evaluate and handle major cyber risks.
What are the ramifications of noncompliance by businesses?
According to the SEC, if a business subject to SEC jurisdiction fails to comply with the new cybersecurity disclosure regulations, it may face a variety of repercussions.
“The SEC has the authority to enforce compliance and may take action against organizations that fail to follow the rules.” Financial fines, legal obligations, brand harm, loss of investor trust, and regulatory scrutiny are some of the possible repercussions, according to Safi Raza, senior director of cybersecurity at Fusion Risk Management. “The SEC is unwavering in its commitment to protect investors, making it clear that enforcement measures will be implemented to ensure transparency and accountability.”
The SEC’s recent action against SolarWinds and its chief information security officer (CISO) suggests that the regulator’s response might be much more severe.
“In that case, the SEC is seeking civil monetary penalties, disgorgement, and to permanently bar the CISO from serving as an officer or director of a public company based on alleged material misstatements and failure to maintain proper disclosure and accounting controls in connection with the SolarWinds cyberattack,” Norberg said in a statement.
This contentious case is comparable to that of former Uber CSO Joe Sullivan, who was found guilty in 2022 on charges of impeding an official process and misprision of a crime—a failure-to-report-wrongdoing misdemeanor—connected to a 2014 hack of Uber’s systems.
Sullivan recently told Eltrys that he applauded the SEC’s data breach reporting standards, stating, “We can nitpick the details all we want, but this is the right way to do it.” “I seem to be the person who’s criticizing the SEC less than everyone else, because I think we should praise them for trying to make rules.”
Is there any pushback?
Yes, unsurprisingly.
Some corporations have raised concerns about the four-day reporting deadline for determining whether an occurrence is substantial and reporting it to the SEC. Until today, many institutions took months to reveal a breach and only did so after conducting an investigation.
“The real challenge for companies is to stay informed and on top of all the changing laws and requirements related to cybersecurity hygiene and breaches, and to put in place the proper controls, processes, and procedures to reduce risk in this ever-evolving landscape,” Norberg added.
Some firms have also expressed concerns about the SEC’s definition of “material incidents,” citing the regulator’s failure to define a materiality definition for cybersecurity events. Instead, the SEC instructs companies to use the long-standing definition of materiality in securities law, which states: “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available to investors.”
Businesses are also concerned that the timeliness and amount of information that must be given “may provide information to hackers regarding the company’s steps.”
In fact, despite the fact that the SEC’s new data breach laws have just recently been effective, hackers have already taken advantage of them. The infamous Alphv/BlackCat ransomware organization filed an SEC complaint earlier this year against one of its victims, MeridianLink, for failing to disclose the event to the agency.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” a message posted to the gang’s private web page said.
According to Matthew Gracey-McMinn, director of threat research at cybersecurity firm Netacea, this strategy—which attackers are using to extort more money from victims—might become a major issue in the future.
“We anticipate that this will become a common practice of most cyberattacks in 2024 and may act as an additional charge alongside, or even replace, the encryption of data by ransomware,” she added.
