10 Steps Legal Departments Should Be Taking to Prepare for the SEC's Newly Adopted Cybersecurity Risk Governance Rule for Public Companies

After much deliberation and compromise, below are the key requirements of the SEC's new cybersecurity rules:

• New Form 8-K Item 1.05 requires the disclosure of any cybersecurity incident determined to be material within four business days of the materiality determination with a description of the pertinent aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition, operations and reputational harm. |
  • Consistent with traditional securities law, an incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would significantly alter the "total mix" of information available.
  • The four-business day disclosure requirement is triggered on the date on which the company determines that a cybersecurity incident is material, not the date the incident is discovered. An instruction to Form 8-K provides that a materiality determination must be made "without unreasonable delay" after discovery of a cybersecurity incident.
  • The disclosure may be delayed if the attorney general notifies the SEC after determining that immediate disclosure would pose a substantial risk to national security or public safety.
• New Regulation S-K Item 106 requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Item 106 also requires companies to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats. |
  • Form 6-K and Form 20-F have also been amended to include similar requirements for foreign private issuers (nongovernmental companies incorporated outside of the U.S. doing business in the U.S.).

The incident disclosure requirements in Form 8-K Item 1.05 go into effect the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023. Smaller reporting companies (companies with a public float of less than $250 million or less than $100 million in annual revenues) enjoy an additional 180 days until the incident disclosure requirements go into effect. With respect to Regulation S-K Item 106, companies must provide disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.

Now, on to the tricky part — how should public companies prepare for the rules' new requirements? These are 10 steps legal departments should be taking to now:

1. Analyze the company's current processes for assessing, identifying and managing risk from cybersecurity threats and the company's formal incident response plan. Is the process robust and comprehensive? Have recent cybersecurity assessments been conducted, and if so, have the identified gaps been remediated? If not, identify the continuing gaps in the process and work to rectify them prior to the end of the fiscal year. If the company does not have the relevant expertise in-house, consider hiring a forensics firm to build out the company's cybersecurity processes and documentation. Once satisfied with the state of the company's cybersecurity program and the written incident response plan, the legal department in conjunction with the CISO should begin drafting the language for S-K Item 106 and update the incident response plan to include the four-business day requirement for filing an 8-K after identifying a material cybersecurity incident. Ensure that the processes described are integrated into the company's overall risk management system or processes, and specify whether the company engages assessors, consultants, auditors or other third parties in connection with these processes.
2. Determine whether any risks from cybersecurity threats, including those resulting from a previous incident, have materially affected or are reasonably likely to materially affect the company. Consider how the company's business strategy, results of operations or financial condition has been impacted by prior incidents or ongoing cybersecurity threats. This information should be included in the company's year-end annual report, and it is also helpful information to analyze to ensure the company's cybersecurity program has been updated to better prevent and mitigate future cybersecurity incidents.
3. Meet with a securities lawyer to discuss the materiality trigger and what it means with respect to your company. The SEC states that companies should consider "financial condition and results of operations" along with qualitative factors, such as harm to a company's reputation, customer or vendor relationships or the possibility of litigation or regulatory investigations or actions to determine materiality. Develop materiality guidelines now so that in the event of a cybersecurity incident, management will be able to more quickly and clearheadedly assess whether an incident is material. If the predetermined materiality guidelines are followed in the event of a cybersecurity incident, this should demonstrate to the SEC and investors that the company acted in good faith and did not attempt to improperly delay disclosure.
4. Review the company's relationship with third-party service providers, including cloud computing, legal process outsourcing, document review and file transfer software providers, among others. Institute processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers. Note that a recent study by two cybersecurity firms found that 98% of organizations use at least one third-party vendor that has experienced a breach in the last two years. Thus, while it is necessary and efficient to utilize third-party vendors, there is a high level of cybersecurity risk involved that must be adequately managed. The SEC considered many comments regarding third-party cyber incidents, but ultimately determined there should be no exemptions or safe harbor for incidents on third-party systems that resulted in a breach of a company's data, as whether an incident is material is not contingent on where the electronic systems reside or who owns them. Thus, take steps now to ensure the company is contracting with secure third-party service providers that have cybersecurity risk management processes comparable to its own. Review the service provider contracts to understand their practices and to verify that the company will be informed within 24 hours in the case of a suspected or confirmed breach of the company's data, so that the company can comply with the SEC's cybersecurity incident disclosure rules and the notification requirements of other global laws and regulations.
5. Understand the board of directors' oversight of risks from cybersecurity threats, including any board committee responsible for such oversight. If a board cybersecurity committee does not exist, consider creating one to ensure compliance with the SEC's new rules. Develop processes for informing the board or board committee about potential or ongoing cybersecurity risks. Once satisfied with the board's oversight and the processes for keeping members apprised of potential or ongoing cybersecurity risks, draft the Regulation S-K New Item 106(c) language for the board's oversight and processes by which it will be informed.
6. Assess the company management's role in overseeing material risks from cybersecurity threats. Does your company have the relevant cyber expertise in management roles? The SEC requires disclosures regarding which management positions are responsible for overseeing such risks, as well as the relevant expertise of each of the managers. If your company does not have management with cybersecurity expertise, consider the budget required to hire new talent with the required qualifications. Discuss with human resources and begin searching for the right person or people now, as there is an undersupply of cybersecurity and privacy talent on the market today. If the company already has the required cyber expertise, establish internal teams that have responsibility for making public disclosures and informing the C-suite and board of the potential or ongoing cybersecurity threats.
7. Test the company's incident response plan in a tabletop exercise with the C-suite, relevant board members or committee and key internal and external teams. While it is helpful to draft plans after thoroughly assessing the company's cybersecurity processes, a tabletop exercise will simulate a live event, and these are extremely beneficial to identify gaps, bottlenecks and other issues with the company's processes or plans that are difficult to identify without this role-playing exercise.
8. Strategize with internal communications teams or external public relations teams regarding the type of language to use in the event you have to file a disclosure about a material cybersecurity incident. Think about what language the company would use externally in response to media inquiries and requests related to the disclosure. Additionally, consider internal communications with employees and hybrid communications with customers that may have impacted data and missed deadlines during the incident and in the aftermath. With only the four-day post-materiality determination trigger window, it will be difficult to draft a comprehensive, cohesive public relations communication strategy on the spot in the midst of a crisis. Thus, it is critical to have a strategy and template language ready that can be tailored to include the material elements of the cybersecurity incident.
9. Select the company's breach counsel — a lawyer who specializes in responding to cybersecurity incidents — and meet to discuss the company's cybersecurity program and the required SEC disclosures and to get assistance with tabletop exercises. Identifying breach counsel in advance will help ensure you are prepared in the event of an incident, expediate the post-incident response timelines and allow the company to confirm the chosen breach counsel is covered by its cyber policy. Consider also preselecting a digital forensics and incident response firm and review vendor to streamline the incident response process by having contracts in place to seamlessly move from one step to the next without the bottleneck of contract review and negotiation.
10. Continue to periodically review and assess the company's processes for assessing, identifying and managing risk from cybersecurity threats. Technology and the types of cybersecurity threats facing companies are constantly changing at a breakneck pace. Something that was the gold standard for cybersecurity a year ago may now be obsolete. Institute mandatory, intermittent training programs for the company's staff at all levels to continuously educate them about cybersecurity, new threats and tactics and how they can avoid being a victim of cyberthreat actors.

In the wake of the MOVEit Transfer cybersecurity incident with well over 100 corporate and 15 million individual victims, the SEC decided the time is right to adopt cybersecurity rules that encourage awareness, transparency and preparation by public companies. By readying your company's cybersecurity program now to comply with the SEC's cyber rules, you will also arm your company with a better defense against cyberthreat actors, reduce the reputational harm that comes along with a cybersecurity incident and increase investor confidence in the company's cybersecurity program.