It’s official. Last week, the SEC issued rules requiring public companies to report what the agency calls “material” cybersecurity incidents within four business days. Baker Donelson’s Alisa Chestler breaks down what’s in the new rules and explores what companies should do from here.
On July 26, the SEC passed rules regarding reporting “material cybersecurity incidents” within four business days of the determination, which will surely vex companies for years to come. Public companies and their third-party vendors, including private companies, will feel the effects of these rules in their contracts and negotiations.
Let’s get into what happened and what companies should do now.
Overview of the rules
Once the regulations are published in the Federal Register, which we expect shortly, public companies will have 30 days to comply. Under the regulations, the SEC will require public companies to report material incidents on a Form 8-K within four business days of making such a determination. Further, companies will need to provide material information regarding their cybersecurity risk management, strategy and governance on an annual basis.
Below are some initial thoughts to consider in understanding the issues related to the cybersecurity event notification.
“Material” definition: If you are wondering what qualifies as “material,” you are not alone. Management and legal teams need to consider what might be “material” in all sorts of scenarios to help identify the issues in advance. For example, maybe a breach that affects the supply chain is material after one day or maybe it is material after three days. Maybe theft of intellectual property has occurred and while material, does it impact national security and therefore merit a delay?
What needs to be reported? In a change from the proposed rules, companies must report, to the extent known at the time of filing, material aspects related to the nature, scope and timing of the incident as well as reasonably likely impact or known impact. Multiple aspects of reporting requirements were softened from the agency’s original proposal after pushback from the private sector, the Wall Street Journal reported.
Four-day deadline: Given the short timeframe of four business days for reporting and the potential for uncovering new information while investigating an incident, companies should anticipate the potential need to amend and update filings as the facts become clearer. Companies will want to avoid speculation.
Don’t forget human error: Cybersecurity events are not limited to ransomware and sometimes can just be mistakes in information system configurations. Human error can be a factor, and these should be understood as a part of the planning process.
What should companies do now?
All companies should already be conducting incident response exercises. Such exercises should include the important considerations of notifications, including those to federal and state regulators and now to the public through the Form 8-K, if applicable.
As time is of the essence, this should be nearly immediate, and a well-practiced response program will be critical. Counsel should have always been included in the incident response exercise; however, now their inclusion in the planning and execution of the exercises is absolutely crucial.
Companies should also consider the “me too” effect. Imagine your company has recently faced an issue similar to what many faced with the MOVEit breach. That breach may be material for one public company but not for another public company. That analysis would likely feel more comfortable without a looming, four-day deadline. Companies must understand their protocols in these cases.