The Securities and Exchange Commission (SEC) recently adopted rules requiring public companies to quickly disclose “material cybersecurity incidents” and to annually disclose material information regarding a company’s cybersecurity risk management, strategy, and governance.
Immediate Disclosure of Material Cybersecurity Incidents
The new rules require public companies to file a new Form 8-K Item 1.05 disclosing any cybersecurity incident the company determines to be “material” and describe the
“material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.”
Significantly, the rules require companies to promptly make a determination on the materiality of the cybersecurity incident and to publicly disclose the incident within four business days of making a determination. The underlying rationale for this rule is to increase transparency to the investing public.
However, there are serious concerns about the timing of the required cybersecurity incident disclosure. Typically, the scope, nature and effect of a cybersecurity incident is not immediately known, and it can take weeks or months before a company fully understands what has happened. By requiring a disclosure within four business days, companies may be required to provide incomplete and inaccurate information to shareholders. Thus, the practical effect of this rule may be that shareholders make investment decisions based on inaccurate information.
Implications for Law Enforcement
Another concern is that local and national law enforcement may be hindered by companies making an early disclosure. For instance, cybercrime law enforcement may prefer that a company keep quiet about an incident so as not to tip off the cyber criminals that they have been detected. If a company must disclose the incident right away, the cyber criminals may have a better chance of evasion. While the SEC’s rules permit that disclosure may be delayed if the United States Attorney General “determines that immediate disclosure would pose a substantial risk to national security or public safety,” there is no such exception for local law enforcement or other national law enforcement agencies like the FBI.
Conflict with State Laws
Additionally, the new SEC rules conflict with many state laws that require disclosure to affected individuals and law enforcement agencies after 30 or 60 days. Because there is no comprehensive national cybersecurity incident disclosure law, companies have to comply with a patchwork of State laws and rules. The SEC’s rules merely add to the growing list of rules that must be followed instead of providing one clear set of rules.
Annual Reporting Requirement
The other significant aspect of the new rule is that companies must annually file a description of their:
“Processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company.”
This component of the rules creates an additional expense to companies.
Monitoring the Impact
KJK will continue to monitor the SEC’s new rules and their effects on public companies. If you have additional questions or clarifications regarding the SEC’s new cybersecurity disclosure rules, please contact KJK partner Michael Hoenig (MDH@kjk.com; 216.736.7247) or another member of our Cyber Security & Data Breach practice group.