The Need for Speed: “Material” Confusion under the SEC’s Cyber Rules
This week, the SEC issued a statement addressing some of the rampant confusion and inconsistencies observed under the agency’s new cyber breach disclosure rule.
The statement itself addresses a technical securities law requirement, that public companies should only use Item 1.05 of Form 8-K to disclose “material” cyber breach information (instead of making voluntary or immaterial disclosures). For voluntary disclosures or disclosures where the “materiality” analysis hasn’t been completed, the SEC advises companies to use Item 8.01 for those updates in order to avoid the potential for investor confusion.
The message underlying the SEC’s statement is clear – companies don’t know what a “material” cyber incident is, and they’d prefer to be overly cautious and disclose whatever information they do have immediately rather than risk significant liabilities and penalties in a climate of heightened regulatory scrutiny on cybersecurity practices.
Disclose early and disclose often!
Under the SEC’s guidance, information is “material” if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making investment decisions, or if it would significantly alter the total mix of available information.
With the SEC’s cyber rules less than a year old – there simply aren’t enough benchmarks, data and reliable information for companies to make “apples to apples” comparisons on whether a cyber incident rises to the level of “material” information for their shareholders.
Factor in the time pressure for reporting breaches (4 business days) and the solution for many companies has been to play it safe, and quickly and voluntarily disclose any and all relevant information related to cyber incidents (well before a materiality analysis has been completed)
Delay…and you will pay
For the anxious CISOs and General Counsels of the corporate world who find themselves in the middle of a high-pressure cybersecurity incident – every minute counts and the regulatory risks and penalties of delaying or failing to respond at lightning speed have never been greater.
Earlier this week, the SEC fined Intercontinental Exchange (the corporate parent of NYSE) $10M over its handling of a 2021 cyber incident. Despite allegedly knowing of a hacker intrusion through its VPN, Intercontinental Exchange didn’t notify or report the incident to the SEC for several days.
The key issue in the SEC’s enforcement action concerns breach reporting timelines under Regulation SCI, the SEC rules governing financial institutions critical to the operation of the U.S. securities markets. Regulation SCI has been updated in recent years as cyber attacks have multiplied, and now requires companies to immediately notify the SEC when they are hacked and provide more details within 24 hours.
The quick and the dead
With cyber attacks proliferating, regulatory enforcement actions increasing, and reporting response times shrinking – the heat is on for legal and security professionals.
Now, more than ever, it is critical to be prepared with continuous monitoring of your attack surface and clearly defined response plans. In the world of cybersecurity, it is the lack of speed that kills.