Directors and officers should be aware of new Cybersecurity rules for public companies. The Securities and Exchange Commission (“SEC”) is taking an interest in cybersecurity enforcement, with active cases in 2023. We expect that the new rules, which took effect on December 15, 2023, will be similarly actively enforced making Cybersecurity a top priority for shareholders, investors, board of directors (or committees thereof) and executive officers alike.
The New SEC Cybersecurity Rule
Key disclosure requirements are in effect now. There are proactive and reactive requirements for public companies through disclosures in Annual Reports on Form 10-K and Current Reports on Form 8-K.
Annual Report on Form 10-K
The Form 10-K annual disclosure should describe the company’s process for assessing, identifying, and managing material cybersecurity threats. It should include details on risk management processes as well as engagement of assessors, consultants, and auditors, and oversight of third-party service providers.
The Form 10-K disclosure should also indicate how the company oversees risks from cyber threats at the highest level by describing the Board of Directors’ role in such oversight or identifying a responsible committee or subcommittee. Disclosures should also identify responsible management positions and committees, and relevant expertise of such persons or committee members. Relevant expertise may include prior work experience in cybersecurity, any relevant degrees or certifications, or any knowledge, skills, or other background in cybersecurity. Directors themselves are not directly required to have substantial cyber expertise.
The disclosure should indicate processes by which such responsible management positions or committees are informed about and monitor, prevent, detect, mitigate, and remediate incidents. The disclosure should also indicate whether such responsible individuals or committees report up to the Board of Directors (or subcommittee). Finally, the company should consider disclosing any specific known risks.
Current Report on Form 8-K
When a material cybersecurity incident has occurred, companies are generally required to file a Current Report on Form 8-K within four business days of determining that an incident is material, unless an exception applies. Notably, filing may be delayed if the U.S. Attorney General determines disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing.
In the Form 8-K report, describe the nature, scope, timing, and impact or likely impact of the incident, including on financial conditions or results of operations. If the necessary information is initially unavailable, state what is missing and follow up with an amended filing. Within the disclosure, companies do not need to include technical information impairing the company’s security or response.
Building Governance
There are many items to take into consideration when overseeing and building governance for your company. Consider creating oversight responsibilities for the Board of Directors, or a subcommittee that regularly reports on cybersecurity initiatives. It is generally recommended to seek independent, objective advice on cybersecurity practices separate from internal IT operations. Please note the following key components to consider including in a governance plan:
- Develop process for annual cybersecurity risk assessment
- Hire CISO (and others) with ‘relevant expertise’
- Document regular reporting to Board of Directors, including budget and headcounts
- Involve audit and risk by adopting an auditable information security control standard
- Engage technical assessors and consultants
- Every organization should have an incident response plan and a written information security program
- Consider building procedures with internal sub-certifications and identify officers and managers who will sign
Breach Response
Officers and directors should understand the following critical steps for responding to a serious cybersecurity breach:
- Notify the company’s lawyer
- Notify the company’s insurer
- Control communications and minimize factual speculation, internal and external
- Engage external cybersecurity investigators through counsel
- Engage outside forensics for complex technical threats
- As a director, you may consider asking to see copies of final incident reports from investigators
The above information is provided by Morris, Manning & Martin, LLP for general information purposes only and does not constitute legal advice or establish an attorney-client relationship. If you have questions, please contact the MMM Cybersecurity & Privacy team.