Bloomberg Law
Aug. 10, 2023, 8:00 AM

How the SEC is Transforming Corporate Cybersecurity Oversight

Daniel Garrie
Daniel Garrie
JAMS
Bradford Newman
Bradford Newman
Baker McKenzie

Corporate cybersecurity is now a non-negotiable priority. How companies prepare for and defend themselves against cyber intrusions has profound implications for their operations, reputation, and bottom line.

Historically, companies have underestimated the magnitude of cybersecurity risks—and in the view of the Security and Exchange Commission, consistently underreported the material losses caused by cyber intrusions.

Now things have changed. On July 26, the SEC took affirmative steps by adopting rules to ensure public companies aren’t just aware of their cybersecurity risks, but are actively managing them and promptly reporting what in practice will turn out to be the vast majority of incidents.

8-K Item 1.05 mandates companies disclose “material cybersecurity incidents” and “material aspects of the incident’s nature, scope, timing and impact on operations, revenues or stock price. New Regulation S-K Item 106 requires companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance.

In particular, the SEC now requires companies to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.”

Item 106 also requires companies to “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

Effective compliance, therefore, extends well beyond simply creating a document to submit to the SEC. Rather, it requires companies to understand that just having policies and controls alone are insufficient to demonstrate their boards are exercising appropriate oversight of the cybersecurity program.

The board must also show they have conducted an independent assessment of the current landscape, including gaps, and that they are actively overseeing management’s cybersecurity programs and the associated risks.

The most effective regulatory filings will comply with the rules and avoid sharing extraneous technical information that could give cybercriminals insights into vulnerabilities or past mistakes.

A key aspect of these new rules is the requirement for companies to create a written record documenting their cybersecurity program. This allows shareholders, the Commission, and plaintiff’s lawyers to obtain evidence reflecting the company’s commitment to cybersecurity risk management, and provides a foundation for holding accountable companies that fail to manage these risks properly.

The new rules effectively require directors to create robust written documentation as tangible proof of compliance, demanding substantial resources and time from already overburdened internal security teams. During an active cyber breach, difficult decisions must be made within four business days as to if, when, and what to disclose—potentially while the company is still investigating the intrusion and trying to ensure the threat actor is fully removed from the company’s systems.

Done improperly, the required early disclosure can have unintended negative consequences, including confusion in the market and potentially providing the attacker a primer on what the company knows—and has yet to discover—about an ongoing event. This could enable the threat actor to alter tactics and hinder the company’s remedial efforts.

Defining a “material” incident presents a challenge, with scant cybersecurity guidance available in securities law. Rather, companies are left to rely on outdated non-cyber guidance. The uncertainty of the precise meaning of “materiality” suggests that the SEC may initiate enforcement actions under the rule claiming companies “failed” to properly and timely disclose.

Protecting sensitive information while demonstrating compliance requires a delicate balance.

This involves considering how and when attorney-client privilege—both the one that belongs to corporate communications and one that can be exclusive to the board—comes into play when conducting internal policy and reporting reviews, preparing reports that identify gaps and solutions, choosing and communicating with external vendors, and related aspects of cyber-readiness.

The complexity of these issues intensifies when responding to an actual intrusion, where the company’s internal and external legal function, CISO, and forensic vendors play a critical role—particularly in the immediate aftermath of discovery.

Companies and their boards must now address complex challenges by deploying customized cyber compliance tools and services to fulfill cybersecurity obligations, aiming to meet regulatory requirements and enhance overall security.

Tabletop exercises, for example, are tailored simulations that assess a company’s response to potential cybersecurity incidents, identifying possible regulatory and legal gaps.

Involving board members, HR, business, legal, IT, risk, compliance, and relevant teams, these exercises are conducted by independent third parties, providing concrete evidence of compliance with cybersecurity regulations.

The new SEC rules signal a shift in corporate cybersecurity management. Though challenging, they offer an opportunity for companies to exhibit their commitment to managing these risks.

With the right tools, services, and advice, businesses can comply with these new rules and bolster their overall cybersecurity posture, thereby protecting their operations, reputation, and bottom line.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Daniel B. Garrieis a distinguished neutral with JAMS, an arbitrator, mediator, and special master with expertise in cybersecurity, data privacy, e-discovery, and intellectual property.

Bradford Newman is chair of Baker McKenzie’s North America trade secrets practice.

Jennifer Deutsch, director of privacy services at Law & Forensics, contributed to this article.

Write for Us: Author Guidelines

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.