Securities and Exchange Commission Final Rule on Cybersecurity

Posted on October 18, 2023

The Securities and Exchange Commission (SEC) recently published a final rule, effective September 5, 2023, applicable to publicly traded companies on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.[1]  The new rule is designed “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.”  The SEC prescribes disclosure regarding “material cybersecurity incidents” as well as periodic disclosures about public companies’ “processes to assess, identify and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.”

HIGHLIGHTS

  • The new rules only apply to publicly traded companies in terms of enforceability.
  • The new rule frames cybersecurity as a business risk for the purpose of disclosure to investors.
  • The new rules are a reflection of a possible bow wave of public expectations regarding businesses publicly disclosing cyber incidents and maintaining cyber governance and oversight regimes in privately held companies.
  • Both public and privately held companies should consider the impacts of cybersecurity incidents, disclosures and governance on CSR/ESG strategies and programs to promote digital trust and meet supplier, investor and customer demands and expectations.
  • Compliance dates range from December 2023 for most companies to June 2024 for smaller companies.
  • For “material cybersecurity incidents”, companies must disclose their existence within four business days of being “deemed material.”  Otherwise, disclosure must occur annually.

Cybersecurity Incidents and Materiality.  The rule defines “cybersecurity incidents” as “an unauthorized occurrence, or a series of unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.”  It makes no distinction between deliberately caused incidents (“hacks”) or accidents.  Materiality triggering rapid disclosure is subjective and incorporates factors such as the complexity of the registrant’s information, the importance of the information to the company’s operations, and the nature and extent of the information compromised.  The material incident disclosure requirement includes the “material aspects of the nature, scope and timing of the incident” and the “material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”  For example, a malicious cyber actor who accesses and downloads 100,000 customer financial files in a publicly traded bank is likely “material.”  An inadvertent temporary posting on the same bank’s website of the city of residence of 100,000 customers without any other identifying information likely is not “material.”  Materiality determinations must be made “without unreasonable delay.”  The SEC rule cites TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976) in providing that information is material if (1) there is “a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision” or (2) disclosure of the information would have been viewed by the reasonable investor as having “significantly altered the total mix of information made available.”  In fact, these two elements are nearly identical, in that the second factor only has meaning in light of the first factor.  Companies may also be required to disclose third party incidents if they are material to the company’s data and operations.  Finally, there are certain national security exemptions for disclosure that authorize delay upon approval of the U.S. Department of Justice.  For example, a hack of an important defense aerospace contractor by an adversary state might be delayed from public disclosure where disclosure of the hack would otherwise harm the U.S. government’s ability to contain or attribute the cyber incident by placing the hacking state on notice that their cyber intrusion had been detected and remediated.

Obviously, the risk of publicly disclosing proprietary corporate information that can place the company at a competitive disadvantage is high.  The rule also notes companies are not required to disclose specific or technical information that could affect incident response or reveal potential system vulnerabilities.

Risk Management

The rule also requires publicly traded companies to disclose their cybersecurity risk management processes including whether cybersecurity risk has been integrated into corporate risk management processes, whether the company seeks outside expert consultants, and whether the company has designed processes to identify third party material risks.  Companies which have not yet begun integrating cybersecurity risk into their risk management processes should be mindful of the published compliance dates and redouble their efforts sooner rather than later.

Corporate Governance:  Boards and Management

Finally, the rule places a burden on the board of directors to ensure they are maintaining adequate oversight of cybersecurity risks, forming committees responsible for oversight, and designing processes by which the board or committee is informed of cybersecurity risk.  Managers are charged with similar responsibilities regarding assessing and managing cybersecurity risks and procedures for board reporting.

Future Rulemaking

The SEC has published a proposed rule, now moving through the rulemaking process, which provides similar responsibilities on a range of financial advisers and funds, and is contemplating broader ranging rules that cover broker-dealers, clearing agencies, national securities associations and exchanges, transfer agents, and other related actors.

In short, the new SEC rule places substantial responsibility on publicly traded companies to move quickly with regard to their cybersecurity risk management, reporting and oversight responsibilities, while also moving forward on expanding these new responsibilities to other categories of financial companies, brokers, and associated companies.  For closely held companies, the rule may provide a window into the appetites of investors, customers and suppliers regarding due diligence expected in cybersecurity risk management.

Crenshaw, Ware & Martin PLC is ready to help your business conduct training, perform cybersecurity risk assessments, and formulate a compliance plan to manage cybersecurity threats for Virginia or Virginia-facing businesses, including publicly traded companies.  The firm can also assist with integrating cybersecurity risk management into corporate ESG/CSR programs in response to customer, investor, and supplier demands and expectations. Contact Darius Davenport, Managing Partner, or Butch Bracknell, Attorney, at 757.623.3000, or by email at DDavenport@cwm-law.com or RBracknell@cwm-law.com


[1] 17 CFR Parts 229, 232, 239, 240, and 249, available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

Lawyer Search