Global Risk Implications of the SEC’s Cybersecurity Regulation
Now that the long-anticipated cybersecurity risk management, governance and reporting regulations issued by the U.S. Securities and Exchange Commission (SEC) are finalized, companies across the world have moved from analyzing the initial cybersecurity proposal to acting on the rule’s complicated compliance obligations.
The SEC seeks to provide a significant amount of information to shareholders, investors and customers on the individual capabilities of technology-dependent businesses to endure a disruptive cyber incident. While regulations with equivalent objectives exist elsewhere across the world, their dissimilarities have woven a complex quilt of regulations for global businesses.
A case in point is the difference between the SEC’s final ruling and the European Union’s (EU) Global Data Protection Regulation (GDPR) regarding the timetable for disclosing a personal data breach. GDPR requires disclosure within 72 hours to member country regulators, whereas the SEC requires disclosure of a material cybersecurity incident within four business days to the SEC and shareholders. Although the SEC provides extra time to disclose, unlike in the EU, the disclosure is made public. Other countries outside the EU like Australia have cyber regulations with similarly short reporting timetables, requiring disclosure of a cyber incident likely to have a relevant impact on IT assets to the Australian Cyber Security Centre within 72 hours.
Interviews with cyber risk and insurance experts suggest the four-day compliance timetable creates intricate board and management challenges and potential liabilities. To contain these risks, the experts advise global businesses to structure a set of internal processes to meet potentially multiple deadlines and content requirements, in conjunction with their cyber insurers.
“With any cyber incident, you don’t exactly know what has happened immediately, especially if it’s the first significant breach,” said Danielle Librizzi, head of professional liability at QBE North America. “To provide accurate information [to regulators], and not too much or too little, it’s important that global companies partner with their cyber insurer to include the differences in the reporting timeframes in their incident response plan.”
Major cyber insurance markets generally have close working relationships with specialized law firms engaged in daily correspondence with relevant regulatory bodies. Regulators in other nations are expected to incorporate aspects of the SEC’s final ruling. Assuming a brief timetable is introduced to disclose sensitive information on a material breach, partnering with an insurer is a means to know how much information to publicly disclose on a region-by-region basis. As Serene Davis, global head of cyber at QBE, put it, “Although the ruling is U.S.-based, in a lot of cases what the U.S. does, other countries follow.”
Many non-U.S. based companies will have to substantively comply with the final ruling on cybersecurity risk management, strategy and governance issued by the SEC on July 26, 2023, since the final rule requires foreign private issuers to make comparable information disclosures as U.S.-based publicly traded companies.
The overarching goal of the regulation is to ensure consistent, comparable and decision-useful cybersecurity information for investors, companies and connecting markets. Despite otherwise laudable intentions, regulatory compliance is challenged by the subjective nature of what constitutes a material cyber incident. Other concerns include the public nature of disclosing the incident and the proper extent of breach-related information to provide regulators and shareholders.
Some experts think that the public disclosures mandated under the final rule, could paradoxically create more risk to the disclosing companies. SEC Commissioner Hester M. Peirce, a longtime critic of the cybersecurity proposal, stated that complying with the disclosure rules has the potential to “aid cyber criminals … handing them a roadmap on which companies to target and how to target them [and signaling] other would-be attackers an opportune time to attack.”
To limit such disturbing outcomes, organizations must be careful not to reveal too much about their cyber risk management and preparedness, yet still abide by the regulation’s information disclosure timetable. Difficult decisions are required, as the clock ticks toward the deadline. Librizzi cited the example of a ransomware attack disabling access to systems.
“The company is likely to be deeply engaged during this period of time in determining the cause of the attack, the extent of the business disruption, and the most efficacious means to restore services. Adding a determination of whether the incident is material in a four-day timeframe complicates these crucial activities,” she said.
Publicly traded companies and foreign issuers in the U.S. are stuck between two unpleasant courses of action. If too much context is provided on the incident and the organization’s multifaceted response, additional threat actors are potentially armed to launch follow-up attacks; if not enough context is provided, the organization risks noncompliance with the SEC’s reporting mandate. “Companies are in a tough spot either way,” Librizzi said.
Commissioner Peirce offered a similar opinion. “The careful drafting necessary to avert some of these problems will be difficult in the four-day timeframe,” she stated.
When the legal duties of making accurate public disclosures are murky, plaintiff attorneys take notice. Aware of the haste needed to fully disclose the nature and scope of a material cyber incident within four business days, plaintiff attorneys may argue in hindsight that a company made material misstatements and omissions, with the intent of misleading investors. “Plaintiff attorneys are very fast in trying to figure out if there is any opportunity to file a class action lawsuit,” said Davis.
For example, plaintiff attorneys may challenge the accuracy of disclosed information regarding cybersecurity risk management and governance, arguing in a securities class action lawsuit that management made material misrepresentations about the nature and magnitude of a data breach. A related possibility is a breach of fiduciary duty lawsuit filed against board members legally obligated to act in the interests of shareholders and failing to do so. “These potential liability exposures require close scrutiny by risk managers of the organization’s cyber insurance policies and D&O (directors and officers) liability insurance coverages to ensure proper limits and coverages,” Davis said.
Other actions also are in scope. For example, the SEC has asserted that the processes for managing cybersecurity risk are not “prescriptive,” instead leaving these processes up to individual interpretations. Hence, the cyber insurance experts emphasize the value of carefully determining and then systematizing the processes by which the organization will disclose material information in the four-day reporting timetable. “Document and incorporate these processes into the cyber incident response plan, and then regularly test them in the operating regions where such timetables exist,” Davis said.
Erica Kofie, head of cyber proposition in the European office of QBE agreed. “Companies are often too closely involved in building their incident response plan to see the forest for the trees,” she said. “We can assist the development of a plan that considers the critical processes needed to address the different disclosure deadlines and other compliance mandates, based on our experiences and those of our law firm partners.”
Individual companies, she explained, “just don’t have the experience of thousands of breaches to know how much information to disclose. Many cyber incidents also don’t get into the public domain, the situation in the EU where breaches are disclosed to regulators but not the public at large. We deal with these incidents and their exposures every day on a global basis.” Kofie added that how an organization engages with regulators within the first 72 hours of a cyber incident “will inevitably have an impact on the rest of the investigation, underlining the value our breach response partners deliver.”
Davis cited some of the services that cyber insurers and their partnering data protection law firms provide, including the assignment of an attorney to provide counsel on each specific cyber incident, assistance in determining whether a breach is material, and the actual crafting of the public disclosure filing. Other consultative services include partnering with chief information security officers and InfoSec teams and the provision of a D&O coach for board members and senior executives to better understand and prepare for potential liability emanating from a failure to disclose material shareholder information.
Given the likelihood that regulators in other countries will incorporate aspects of the SEC’s final rule like a specific timetable to report a material breach, the benefits of a comprehensive, clearly articulated, regularly refreshed and tested cyber incident response plan far outweigh the time and resources involved in maintaining its relevance.