- Since 2022, the U.S. Securities and Exchange Commission (SEC) has proposed several cybersecurity rules applicable to numerous regulated entities that, if adopted, would impose quick notification obligations and heightened disclosure requirements.
- Amid significant pushback during the public comment period, the SEC announced it would delay issuance of these rules, which are now expected to be finalized in October 2023 and April 2024.
- Because cybersecurity risks will continue to evolve more rapidly than the SEC’s public rulemaking process, public companies, investment advisers, broker-dealers, and other entities that may be impacted by these rules should not wait to address these risks, even in the face of regulatory uncertainty.
- After all, the SEC has already brought enforcements actions relating to cybersecurity incidents even in the absence of these proposed rules being finalized, and existing SEC and other regulatory frameworks already require baseline disclosure, notification, and safeguarding measures that these proposed SEC rules seek to enhance.
The SEC’s Cybersecurity Proposals
The SEC has proposed four rules designed to address cybersecurity risk and management, including incident reporting by public companies.
Final Rules Anticipated in October 2023:
Final Rules Anticipated in April 2024:
On June 19, 2023, the SEC published notice of a Sunshine Act Meeting scheduled for July 26, 2023, wherein it will consider adoption of rules to enhance and standardize disclosures related to cybersecurity risk management, strategy, governance, and incidents by public companies subject to reporting requirements of the Securities Exchange Act of 1934.
A. Public Company Proposals
Of the rule proposals, the Proposed Public Co. Rule, released in March 2022, received the loudest response from industry participants, given the wide net the SEC seeks to cast and the level of detail it seeks in required disclosures. Namely, the Proposed Public Co. Rule includes new reporting and disclosure requirements, with new current reporting requirements for disclosing material cybersecurity incidents on Form 8-K and new periodic disclosure requirements for updating previously disclosed incidents and describing management and board oversight of cybersecurity risks. In announcing the proposed rule, SEC Chair Gary Gensler claimed that if adopted, the Proposed Public Co. Rule “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
The Proposed Public Co. Rule contains provisions concerning three specific areas:
- Incident disclosure: The SEC proposed disclosure within four business days of identification of a material cybersecurity incident under Form 8-K, and disclosure of material changes or updates to prior disclosures under Forms 10-Q and 10-K pursuant to new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F.
- Risk management: The SEC proposes disclosure of management’s role in implementing cybersecurity policies and procedures, including risk management and strategy, pursuant to new Item 106 of Regulation S-K and new Item 16J of Form 20-F. These rules would also require disclosure of board oversight, including how cybersecurity risks are factored into company strategy, financial planning, and capital allocation. Moreover, the SEC proposes required disclosure concerning whether the company has a chief information security office (CISO) as well as policies and procedures targeted at identifying and managing cyber risk.
- Cybersecurity expertise: The SEC proposes disclosure of board members who possess cybersecurity expertise in assessing and managing cybersecurity risk pursuant to amended Item 407 of Regulation S-K and Form 20-F.
The most controversial aspects of these proposed requirements, as relayed during the comment period, relate to the rapid time frame for reporting material incidents, without any exceptions for ongoing investigations. Specifically, the proposed regulation would require the reporting of a cybersecurity incident within four business days of a materiality determination, which many critics of the proposal found could pose significant constraints on investigations both internally and/or in connection with other government agencies. In fact, it has been reported that the FBI has concerns about the four-business-day disclosure requirements because the short window could require public companies to disclose incidents even where there is an active case undertaken by law enforcement.
Comments received on the proposed rule also raised that the four-business-day time frame could interfere with a company’s ability to remediate the cybersecurity incident, as its resources would be split between understanding the nature and scope of the breach and its reporting obligations to the SEC. Additionally, certain covered entities noted their concern that mandatory disclosure could further embolden a hostile actor to use different tactics to more effectively mask cyber intrusions and/or destroy certain indicators of a compromise. In other words, if a threat actor is made aware that it has been identified, that actor may accelerate further bad acts or use different tactics to access vulnerabilities in a company’s digital ecosystem.
B. Investment Adviser, Investment Company, and Broker-Dealer Proposals
The SEC has also proposed rules that will impact broker-dealers, registered investment advisers, and investment companies. First, proposed rules under the Investment Advisers Act and Investment Company Act would require investment advisers and investment companies to adopt written cybersecurity policies and disclose “significant” cybersecurity incidents to the SEC on behalf of a fund or a private fund client. Second, proposed amendments to Regulation S-P would require covered entities to adopt written response plans and notify customers of specific types of cybersecurity incidents.
1. Investment Advisers and Investment Companies
The Proposed IA Rule, which applies to investment advisers and investment companies, includes even shorter incident reporting timelines than the aforementioned Proposed Public Co. Rule. Specifically, this proposal would require the submission of a new Form ADV-C within 48 hours after there is a reasonable basis to conclude that a significant incident occurred. But unlike the reporting requirement under the Proposed Public Co. Rule, this disclosure would be confidential. While the SEC notes that these reports would allow it to “assess the potential systemic risks affecting financial markets more broadly,” industry participants have lamented the need to balance these new disclosure requirements with resolving cybersecurity incidents, including diverting money and resources from incident response to completing regulatory findings (perhaps with incomplete information).
Additionally, investment advisers and investment companies would be required to implement and review written policies and procedures; engage in periodic risk assessments, security monitoring, and vulnerability management; conduct incident response planning; and execute security training. Fund advisers would also be required to disclose cybersecurity risks and incidents on registration forms and Form ADV, which could perhaps cut against or conflict with the confidential disclosure requirements of a cyber incident.
The proposed amendments to Regulation S-P, which would impose requirements on broker-dealers, funds, and advisers (what the SEC refers to here as “covered institutions”), would institute written policies and procedures for an incident response program, including requiring covered institutions to provide timely notification to affected individuals whose sensitive customer information was accessed or used without authorization.
This proposal specifically focuses on the customer notification requirement, which must be made as soon as practicable but no later than 30 days after the covered institution becomes aware of the incident. To the extent, however, that the covered institution determines that the sensitive customer information was not actually or reasonably likely to be used in a manner that would result in harm or inconvenience, notice is not required.
Additionally, the proposal would require covered entities to adopt incident response programs as part of their written policies and procedures under the safeguards rule. The proposals must be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information . . . and contain and control such incidents.”
Analysis and Recommendations
Although finalization of these rules and the form in which they will take shape are uncertain, there are a number of preparatory steps covered entities can take now. This is particularly crucial given the SEC’s long line of enforcement actions against regulated entities for safeguarding information concerning identity theft violations and against public companies for disclosure and control violations relating to cyberattacks. Significantly, in June 2023, software developer SolarWinds disclosed that current and former executives, including its chief financial officer and CISO, were informed in October 2022 of the SEC’s intention to bring an enforcement action arising from a 2020 cyberattack on the company. With this, the SEC has made clear that even without these proposed rules, it still has sufficient enforcement mechanisms to police purported lapses in cybersecurity.
A. Incident Response
With respect to the proposed rules regarding reporting of cybersecurity incidents, there are certain clear implications for incident response planning. For example, organizations should assume that timelines required for reporting will continue to shorten. Accordingly, it is essential to develop an internal process that optimizes the rapidity with which gaining and communicating relevant information (including communication with trusted advisors) occurs. The incorporation of qualifying standards for different reporting obligations such as “materiality” or “significance” – regardless of how such standards are ultimately defined (or left undefined) in a final rule or in corresponding regulatory guidance – means that processes should be mapped out that enable the inputs to these types of determinations (e.g., scope and quantification of impact) to be assessed as a priority. Performing these kinds of assessments should be incorporated into incident response plan testing for purposes of overall readiness to respond but also to illuminate potential areas for process refinement.
B. Proactive Risk Assessment and Management
The proposed rules regarding incorporation of risk assessment and management into the cybersecurity program essentially reflect existing “best practices” as articulated under industry standard frameworks, as well as regulatory cybersecurity requirements at the state and federal levels in a variety of sectors, going back many, many years. The SEC’s proposed rules that would require maintenance of cybersecurity risk assessment and risk management programs, including fundamental security controls in areas like third-party risk management, merely reflect essential elements of any sound security program. The addition of proposed requirements that would impose some transparency on these activities in the form of disclosures or reporting does require careful planning for proper execution; however, these aspects of compliance represent a minimal burden in relation to developing and implementing the more-fundamental programmatic elements (which include administrative, technical, and physical controls).
C. Governance and Oversight
Similarly, regardless of what form the final version of the proposed SEC rules takes regarding board and senior management oversight and cybersecurity expertise, the idea that boards and senior management need to play an active role in overseeing enterprise cybersecurity programs is neither novel nor controversial. Even without a related disclosure obligation, it would be hard to argue that boards and senior management should not consider and formalize processes for how they should perform such oversight (e.g., through committees) and how cybersecurity issues should be communicated to them and by whom. While some organizations may find that acquiring cybersecurity expertise at the board and senior management levels may be difficult to achieve in practice, it would be hard to argue that having such expertise would not enhance their ability to provide oversight of the security program.
 The SEC noted that the definition of “material” would be consistent with existing case law; namely, if there is a substantial likelihood that a reasonable shareholder would consider the information important in making investment decisions, or if the information significantly alters the “total mix” of information made available to investors, the SEC would deem the information material.