Public companies should be ready for vigorous enforcement of the Securities and Exchange Commission’s new cybersecurity rules, despite tricky compliance questions that still remain, agency watchers said.
“The rules are still fairly new, and so I think there are going to be some growing pains — some learning curves if you will,” Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, said in an interview. “But I would not assume that the SEC is going to go easy on folks based on the fact that these are new rules.”
In recent years, the SEC has given “every indication” that cybersecurity is a top enforcement priority for the agency, Peterman said. “I think we’ve already seen the SEC kind of turning up the heat on this issue, and the stakes are even higher with a formal rule now in place,” she added.
The SEC in March reached a $3 million settlement with Charleston, South Carolina-based software firm Blackbaud resolving charges that it made misleading disclosures about the scope of a 2020 ransomware attack.
In October, the SEC sued Austin, Texas-based software provider SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to the attack. The company has denied the charges.
The SolarWinds case, particularly when coupled with the SEC’s new rules, has serious implications for senior executives in general, including CFOs, according to cybersecurity advisors.
“Everyone’s neck is on the line,” said Trisha Sircar, a partner in the Privacy, Data and Cybersecurity practice of Katten Muchin Rosenman.
Under the SEC’s rules, which build on prior guidance, public companies must disclose material breaches, as well as “the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.”
“Regrettably, the rules offer little clarity on what” constitutes a material incident, said John deCraen, associate managing director in the Cyber Risk practice of Kroll, a financial and risk advisory firm.
“Ultimately the decision will come down to the company in question and their discussions with counsel,” he said, adding that a company should be prepared to defend any conclusion that an incident isn’t material in the event of a regulatory action or lawsuit.
Companies must determine the materiality of an incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.”
The disclosure may be delayed if the U.S. attorney general determines that immediate disclosure would “pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”
In addition to reporting material breaches, companies must annually describe on form 10-K their board of directors’ oversight of cybersecurity risks. All companies must comply with these requirements beginning with annual reports for fiscal years ending on or after Dec. 15.