Cyber Security

Cracking the Code: Navigating New SEC Rules Governing Cybersecurity Disclosure

Noah Schottenbauer, MJLST Staffer

In response to the dramatic impact cybersecurity incidents have on investors through the decline of stock value and sizeable costs to companies in rectifying breaches,  the SEC adopted new rules governing cybersecurity-related disclosures for public companies, covering both the disclosure of individual cybersecurity incidents as well as periodic disclosures of a company’s procedures to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.[1]

Before evaluating the specifics of the new SEC cybersecurity disclosure requirements, it is important to understand why information about cybersecurity incidents is important to investors. In recent years, data breaches have led to an average decline in stock value of 7.5% amongst publicly traded companies, with impacts being felt long after the date of the breach, as demonstrated by companies experiencing a significant data breach underperforming the NASDAQ by an average of 8.6% after one year.[2] One of the forces driving this decline in stock value is the immense costs associated with rectifying a data breach for the affected company. In 2022, the average cost of a data breach for U.S. companies was $9.44 million, drawn from ransom payments, disruptions in business operations, legal and audit fees, and other associated expenses.[3]

Summary Of Required Disclosures

  • Material Cybersecurity Incidents (Form 8-K, Item 1.05)

Amendments to Item 1.05 of Form 8-K require that reporting companies disclose any cybersecurity incident deemed to be material.[4] When making such disclosures, companies are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”[5]

So, what is a material cybersecurity incident? The SEC defines cybersecurity incident as “an unauthorized occurrence . . . on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”[6]

The definition of material, on the other hand, lacks the same degree of clarity. Based on context offered by the SEC through the rulemaking process, material is to be used in a way that is consistent with other securities laws.[7] Under this standard, information, or, in this case, a cybersecurity incident, would be considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important.”[8] This determination is made based on a “delicate assessment of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him.”[9] Even with this added context, what characteristics of a cybersecurity incident make it material remain unclear, but considering the fact that the rules are being implemented with the intent of protecting investor interests, the safest course of action would be to disclose a cybersecurity incident when in doubt of its materiality.[10]

It is important to note that this disclosure mandate is not limited to incidents that occur within the company’s own systems. If a material cybersecurity incident happens on third-party systems that a company utilizes, that too must be disclosed.[11] However, in these situations, companies are only expected to disclose information that is readily accessible, meaning they are not required to go beyond their “regular channels of communication” to gather pertinent information.[12]

Regarding the mechanics of the disclosure, the SEC stipulates that companies must file an Item 1.05 of Form 8-K within four business days of determining that a cybersecurity incident is material.[13] However, delaying disclosure may be allowed in limited circumstances where the United States Attorney General determines that immediate disclosure may seriously threaten national security or public safety.[14]

If there are any changes in the initially-disclosed information or if new material information is discovered that was not available at the time of the first disclosure, registrants are obligated to update their disclosure by filing an amended Form 8-K, ensuring that all relevant information related to the cybersecurity incident is available to the public and stakeholders.[15]

  • Risk Management & Strategy (Regulation S-K, Item 106(b))

Under amendments to Item 106(b) of Regulation S-K, reporting companies are obligated to describe their  “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”[16] When detailing these processes, companies must specifically address three primary points. First, they need to indicate how and if the cybersecurity processes described in Item 106(b) fall under the company’s overarching risk management system or procedures. Second, companies must clarify whether they involve assessors, consultants, auditors, or other third-party entities in relation to these cybersecurity processes. Third,  they must describe if they possess methods to monitor and access significant risks stemming from cybersecurity threats when availing the services of any third-party providers.[17]

In addition to the three enumerated elements under Item 106(b), companies are expected to furnish additional information to ensure a comprehensive understanding of their cybersecurity procedures for potential investors. This supplementary disclosure should encompass “whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.”[18] While companies are mandated to reveal if they collaborate with third-party service providers concerning their cybersecurity procedures, they are not required to disclose the specific names of these providers or offer a detailed description of the services these third-party entities provide, thus striking a balance between transparency and confidentiality and ensuring that investors have adequate information.[19]

  • Governance (Regulation S-K, Item 106(c))

Amendments to Regulation S-K, Item 106(c) require that companies: (1) describe the board’s oversight of the risks emanating from cybersecurity threats, and (2) characterize management’s role in both assessing and managing material risks arising from such threats.[20]

When detailing management’s role concerning these cybersecurity threats, there are a number of issues that should be addressed. First, companies should clarify which specific management positions or committees are entrusted with the responsibility of assessing and managing these risks. Additionally, the expertise of these designated individuals or groups should be outlined in such detail as necessary to comprehensively describe the nature of their expertise. Second, a description of the processes these entities employ to stay informed about, and to monitor, the prevention, detection, mitigation, and remediation of cybersecurity incidents should be included. Third, companies should indicate if and how these individuals or committees convey information about such risks to the board of directors or potentially to a designated committee or subcommittee of the board.[21]

The disclosures required under Item 106(c) are aimed at balancing investor accessibility to information with the company’s ability to maintain autonomy in determining cybersecurity practices in the context of organizational structure; therefore, disclosures do not need to be overly detailed.[22]

  • Foreign Private Issuers (Form 6-K & Form 20-F)

The rules addressed above only apply to domestic companies, but the SEC imposed parallel cybersecurity disclosure requirements for foreign private issuers under Form 6-K (incident reporting) and Form 20-K (periodic reporting).[23]

Key Dates

The SEC’s final rules are effective as of September 5, 2023, but the Form 8-K and Regulation S-K reporting requirements have yet to take effect. The key compliance dates for each are as follows:

  • Form 8-K Item 1.05(a) Incident Reporting – December 18, 2023
  • Regulation S-K Periodic Reporting – Fiscal years ending on or after December 15, 2023

Smaller reporting companies are provided with an extra 180 days to comply with Form 8-K Item 1.05. Under this grant, small companies will be expected to begin incident reporting on June 15, 2024. No such extension was granted to smaller reporting companies with regard to Regulation S-K Periodic Reporting.[24]

Potential Impact On Cybersecurity Policy

The actual impact of the SEC’s new disclosure requirements will likely remain unclear for some time, yet the regulations compel companies to adopt a greater sense of discipline and transparency in their cybersecurity practices. Although the primary intent of these rules is investor protection, they may also influence how companies formulate their cybersecurity strategies, given the requirement to discuss such policies in their annual disclosures. This heightened level of accountability, regarding defensive measures and risk management strategies in response to cybersecurity threats, may encourage companies to implement more robust cybersecurity practices or, at the very least, ensure that cybersecurity becomes a regular topic of discussion amongst senior leadership. Consequently, the SEC’s initiative may serve as a catalyst for strengthening cybersecurity policies within corporate entities, while also providing investors with essential information for making informed decisions in the marketplace.

Further Information

The overview of the new SEC rules governing cybersecurity disclosures provided above is precisely that: an overview. For more information regarding the requirements and applicability of these rules please refer to the official rules and the SEC website.

Notes

[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release No. 33-11216, Exchange Act Release No. 34-97989 (July 26, 2023) [hereinafter Final Rule Release], https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

[2] Keman Huang et al., The Devastating Business Impact of a Cyber Breach, Harv. Bus Rev., May 4, 2023, https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.

[3] Id.

[4] Final Rule Release, supra note 1, at 12

[5] Id. at 49.

[6] Id. at 76.

[7] Id. at 14.

[8] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).

[9] Id. at 450.

[10] Id. at 448.

[11] Final Rule Release, supra note 1, at 30.

[12] Id. at 31.

[13] Id. at 32.

[14] Id. at 28.

[15] Id. at 50–51.

[16] Id. at 61.

[17] Id. at 63.

[18] Id.

[19] Id. at 60.

[20] Id. at 12.

[21] Id. at 70.

[22] Id.

[23] Id. at 12.

[24] Id. at 107.


Cyber Security Investigation and Online Tracking

by Ude Lu, UMN Law Student, MJLST Staff.

Ude-Lue.jpgOn April 18th, 2013, Cyber Intelligence Sharing and Protection Act (CISPA) was passed with wide spread controversies. CISPA aims to help national security agencies to investigate cyber threats by allowing private companies, such as Google and Facebook, to search users’ personal data to identify possible threats. Commentators argue that CISPA compromises the Fourth Amendment, because, under CISPA, agencies can get privacy data of suspects identified by the privacy companies without a judicial order. CISPA bridges the gap between crime investigations and the privacy data stored and analyzed by social media companies.

Google and Facebook regularly track their user’s online behaviors, such as websites they visited or products they purchased, to figure out their personal preferences to perform targeted advertisements. These personal behavior analyses raise serious privacy concerns. Omer Tene and Jules Polonetsky in their article published in Volume 13 Issue 1 of the Minnesota Journal of Law Science and Technology, To Track or “Do Not Track: Advancing Transparency and Individual Control in Online Behavioral Advertising discussed these privacy concerns.

Tene and Polonetsky described that while targeted advertisement provides many advantages, one particular criticism is that users are deprived from meaningful control of their data. This led to various administrative proposals in the US and EU. In the US, FTC proposed “Do Not Track”, a signal sent by users’ browser to internet content providers requesting them not to track cookies. In the EU, the e-Privacy Directive required an opt-in consent for cookie tracking. The authors argue that whether cookie tracking should be “opt-in” or “opt-out” depends on how tracking is valued by the society. If the society in general values tracking as a positive measure to provide valuable services, then opt-out should be applied. On the contrary, if tracking is viewed by the society as an invasion to privacy, then opt-in should be applied.


Cybersecurity: Serious threat or “technopanic”?

by Bryan Dooley, UMN Law Student, MJLST Staff

Thumbnail-Bryan-Dooley.jpgWhile most would likely agree that threats to cybersecurity pose sufficient risk to warrant some level of new regulation, opinions vary widely on the scope and nature of an appropriate response. FBIwebsite-sm-border.jpgThe Cyber Intelligence Sharing and Protection Act, one of several proposed legislative measures intended to address the problem, has drawn widespread criticism. Concerns voiced by opponents have centered on privacy and the potential for misuse of shared information. Some fear the legislation creates the potential for additional harm by allowing or encouraging private parties to launch counterattacks against perceived security threats, with no guarantee they will always hit their intended targets.

In Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle</strong>, published in Issue 14.1 of the Minnesota Journal of Law, Science & Technology, Adam Thierer discusses the danger of misguided regulation in response to new and potentially misunderstood technological developments. The discussion centers on what Thierer terms “technopanics”–hasty and often irrational pushes to address a problem in the face of uncertainty and misinformation, sometimes intentionally disseminated by parties who hope to benefit financially or advance a social agenda.

In the context of cyber security, Thierer argues that advocates of an aggressive regulatory response have exaggerated the potential for harm by using language such as “digital Pearl Harbor” and “cyber 9/11.” He argues technopanics have influenced public discourse about a number of other issues, including online pornography, privacy concerns associated with targeted advertising, and the effects of violent video games on young people. While these panics often pass with little or no real lasting effect, Thierer expresses concern that an underlying suspicion toward new technological developments could mature into a precautionary principal for information technology. This would entail a rush to regulate in response to any new development with a perceived potential for harm, which Thierer argues would slow social development and prevent or delay introduction of beneficial technologies.

It’s an interesting discussion. Whether or not cyber attacks pose the potential for widespread death and destruction, there is significant potential for economic damage and disruption, as well as theft or misuse of private or sensitive information. As in any case of regulation in the face of uncertainty, there is also clear potential that an overly hasty or inadequately informed response will go too far or carry unintended consequences.


Time for a New Approach to Cyber Security?

by Kenzie Johnson, UMN Law Student, MJLST Managing Editor

Kenzie Johnson The recent announcements by several large news outlets including the New York Times, Washington Post, Bloomberg News, and the Wall Street Journal reporting that they have been the victims of cyber-attacks have yet again brought cyber security into the news. These attacks reportedly all originated in China and were aimed at monitoring news reporting of Chinese issues. In particular, the New York Times announced that Chinese hackers persistently attacked their servers for a period of four months and obtained passwords for reporters and other Times employees. The Times reported that the commencement of the attack coincided with a story it published regarding mass amounts of wealth accumulated by the family of Chinese Prime Minister Wen Jiabao.

It is not only western news outlets that are the targets of recent cyber-attacks. Within the past weeks, the United States Department of Energy and Federal Reserve both announced that hackers had recently penetrated their servers and acquired sensitive information.

This string of high-profile cyber-attacks raises the need for an improved legal and response structure to deal with the growing threat of cyber-attacks. In the forthcoming Winter 2013 issue of Minnesota Journal of Law, Science, and Technology, Susan W. Brenner discusses these issues in an article entitled “Cyber-Threats and the Limits of Bureaucratic Control.” Brenner discusses the nature, causes, and consequences of cyber-threats if left unchecked. Brenner also analyzes alternative approaches to the United States’ current cyber-threat control regime, criticizes current proposals for improvements to the current regime, and proposes alternative approaches. As illustrated by these recent cyber-attacks, analysis of these issues is becoming more important to protect sensitive government data as well as private entities from cyber-threats.