Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General). As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public. Why does that matter? Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).
Under the Rule, a “cybersecurity incident” is broadly defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” (The Rule, pgs. 169-170.)
“Material” is defined as “‘a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information available.’ ‘Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.” Id. at 14-15 (quoting TSC Indus. v. Northway, 426 U.S. 438, 448-49 (1976)).
If determined to be a material cybersecurity incident, the Rule requires disclosure of the nature, scope, and timing of the incident, as well as details regarding the potential impact of the cybersecurity incident on the company’s financial condition and operations. The company however, is not required to disclose technical information regarding its response plan such that disclosure would impede the company’s response to the incident.
In addition to the short cybersecurity incident reporting requirement, the Rule emphasizes the duty to correct prior disclosures public companies later determine are untrue and/or to update disclosures omitting material facts to make the disclosure not misleading. The Rule also mandates various additional periodic disclosures related to cybersecurity risk management, strategy, and governance, which is sure to cause public corporate boards and their cybersecurity professionals to make sure such disclosures are current and accurate. The disclosures require public companies to share detailed reports regarding their processes to identify and manage risks for cybersecurity threats, including information about the board of directors’ and management’s role and expertise in managing risks from cybersecurity threats.
Commissioners Hester Peirce and Mark Uyeda opposed the Rule. In her dissent, Commissioner Peirce lamented that the Rule “veer[s] into managing companies’ cyber defenses” and imposes significant financial burdens on registrants, particularly small public companies. In his dissent, Commissioner Uyeda argued that the Rule lacked a “reasoned basis” and ignored the purposes of the federal securities laws.
The U.S. Chamber of Commerce immediately objected to the Rule, saying it conflicts with the policies underpinning confidential reporting as reflected in CIRCIA. According to a U.S. Chamber of Commerce press release after the Rule was announced: “The Cyber Incident Reporting of Critical Infrastructure Act of 2022 made it clear that cyber incident reporting to government should occur confidentially and in a protected manner. Yesterday, however, the Securities and Exchange Commission (SEC) finalized a rule that sharply diverges from the mandate and the President’s National Cybersecurity Strategy, jeopardizing a needed confidential reporting strategy and harming cyber incident victims before they can remediate incidents.”
Regardless of the views of the dissenting commissioners and the U.S. Chamber of Commerce, the Rule goes into effect 30 days after publication in the Federal Register, meaning public companies must now be prepared to comply.
[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release Nos. 33-1126, 34-97989 (July 26, 2023).