(844) 627-8267
(844) 627-8267

Markets Promptly See Effect of New SEC Cybersecurity Disclosure Rules | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


On December 18, 2023, prior to the trading session, VF Corp. (NYSE:VFC) issued a press release disclosing that the company was investigating unauthorized activity on its computer systems – and that the intrusion had encrypted some systems and compromised data. [1]

The SEC Cited a Number of Factors that Magnify Cybersecurity Risks for Investors:

  • Increased digitalization of operations;
  • Growth of remote work;
  • Ability of criminals to monetize cybersecurity incidents;
  • Use of digital payments; and
  • Increasing reliance on third party IT service providers.[2]

As the parent company of numerous iconic apparel brands, such as The North Face and Vans, [3] VF Corp. went on to warn that this cyberattack had disrupted its ability to fulfill e-commerce orders and could not yet say whether the company’s finances would be affected.[4] With the last shopping week before Christmas in full swing, investors fled at the opening bell, pushing VF Corp.’s stock price lower by $1.55 per share, for a loss of more than 7.78 percent that day.

Chart: Bloomberg L.P.

VF Corp.’s disclosure was the most recent example of the SEC’s new disclosure rules in action. Those rules were first proposed in March of 2022, based on the agency’s finding that “cybersecurity risks have increased” due to the increase in commerce occurring digitally as well as other factors.[5]

The push for specific cybersecurity and incident reporting rules arose from the SEC’s conclusion that – even after more than a decade of agency guidance – the SEC “continued to believe that investors need information on registrants’ cybersecurity risk management and strategy, and that uniform, comparable, easy to locate disclosure [would] not emerge absent new rules.”[6]

The final rules,[7] which became effective on September 5, 2023, update the reporting requirements under the Securities Exchange Act of 1934 to standardize how registrants inform investors about cybersecurity, requiring both:

  1. Real-time disclosures about material cybersecurity incidents; and
  2. Periodic disclosures about a registrant’s:
    1. processes to assess, identify, and manage material cybersecurity risks,
    2. management’s role in assessing and managing material cybersecurity risks, and
    3. the board of directors’ oversight of cybersecurity risks.[8]

Originally, the SEC relied on a Staff Guidance document issued in 2011 that discussed the risks, contingencies, and other factors that issuers should consider when applying traditional rules regarding materiality and disclosure, pointing out that:

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.[9]

That was updated in 2018, but the new rules aim to address the SEC’s view that “disclosure practices have remained inconsistent.”[10]

Erik Gerding, the SEC’s Director of the Division of Corporation Finance, offered his personal comments on the new rules, pointing out that “[i]nvestors have indicated … that they need consistent and comparable disclosures in order to evaluate how successfully public companies” are “address[ing] cybersecurity risks and threats based on their own particular facts and circumstances.”[11]

Gerding went on to note that the SEC “balanced the need for disclosure with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks.”[12]

In keeping with prior practices, the SEC sought to leverage existing disclosure rules to ensure uniformity. As a result, public companies must disclose a cybersecurity incident within four business days after the company determines the incident to be material.[13] This allows issuers to apply the “time-tested and familiar” materiality standard and their mechanisms for Form 8-K reporting to cybersecurity developments.[14]

Importantly, if the Department of Justice determines that “a public filing would pose a substantial threat to public safety or national security,” the new rules provide for a delay in public disclosure of up to 60 days in the case of public safety or 120 days in the case of national security.[15] While it will remain to be seen how readily DOJ will make such determinations, victims of cyberattacks should engage with the Federal Bureau of Investigation directly, or through the U.S. Secret Service (USSS), Cybersecurity and Infrastructure Security Agency (CISA), or an issuer’s sector risk management agency (SRMA) as appropriate to determine whether any delay will be allowed.[16]

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW