SEC cybersecurity rules put boards of directors on the spot
Item 106 also requires companies to “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” Effective compliance, therefore, extends well beyond simply creating a document to submit to the SEC. It requires companies to understand that just having policies and controls in place is not sufficient to show that their boards are exercising appropriate oversight of the cybersecurity program. While such policies, controls, and governance are critical, the board must also be able to demonstrate that they have conducted an independent assessment of the current landscape, including gaps that need to be addressed, and that they are receiving information and adequately demonstrating effective oversight and governance of management’s cybersecurity programs and the associated risks.
Disclosing incidents without tipping off attackers
Equally important, the most effective regulatory filings will strike the right balance between complying with the rules and limiting any extraneous technical information that could tip off cybercriminals about existing gaps or provide them any unnecessary advantages from past lessons learned.
The new rules effectively require directors to put in place robust written documentation as tangible proof of compliance. They also require devoting substantial additional resources to the task while using the time of internal security teams who are inundated with other legal notification requirements and stretched thin with their duties.
During a cyber breach, extremely difficult decisions will need to be made within four business days as to if, when, and what to disclose – potentially while the company is still investigating the scope of the intrusion and trying to ensure the threat actor has been totally evicted from the company’s systems. Done improperly, the required early disclosure can have unintended negative consequences, including confusion in the market and potentially providing the attacker a primer on what the company knows – and has yet to discover – about an ongoing event. In turn, the threat actor can react in harmful ways, such as modifying their TTPs and taking new measures to prevent the company from executing effective remedial measures.
How to define a material incident
Still, another vexing question in the context of these new reporting requirements is what constitutes a “material” incident. As a matter of securities law in the context of cybersecurity, there is scant guidance. Companies are left to rely on prior guidance about the definition of “materiality” in non-cyber contexts from decades ago. For example, the guidance states that an error or omission is “material” if there is a “substantial likelihood that the … fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” (For example, see TSC Industries v. Northway, Inc. 426 U.S. 438, 449 [1976].)
The uncertainty of the precise meaning of “materiality” in the context of cyber events suggests that the SEC will be looking to initiate enforcement actions under the rule claiming companies “failed” to properly and timely disclose and that the plaintiffs’ bar will similarly be looking for targets for civil litigation in the wake of cyber incidents.