The New SEC Cyber Rules
Come tomorrow and Monday, there are changes in store for publicly traded companies when it comes to cybersecurity.
This will help everyone else since virtually all companies have publicly traded companies who are vendors or business partners and this extra information will help you understand your partners’ cybersecurity efforts.
Industry groups and Republicans aren’t excited about these changes. I understand why industry is not happy – it means disclose more about their cybersecurity efforts – or possibly lack of efforts. As to Republicans, I am not sure. Maybe these companies are donors and they feel like they need to do a quid-pro-quo in exchange for the money. Not sure.
Anyway, here is what happens.
Effective tomorrow, December 15th, companies whose fiscal year ends on or after tomorrow will have to describe in their annual reports to the SEC what kind of processes they have in place to manage cyber threats. This would, of course, be a problem for those companies that really don’t have much of a program. Disclosing that you aren’t doing much would be a problem. For others, it is just a matter of wordsmithing exactly what and how much they want to reveal. I suspect that they would prefer to reveal nothing because whatever they reveal will be, as the saying goes, used against them in a court of law (in case of a breach).
As of Monday, larger publicly traded companies will need to reveal to the SEC any breaches that the company deems severe enough to be deemed important by potential investors. They have four days to do that. Smaller companies get an extra 6 months or so to do that.
Apparently, most of the grumbling is about what the definition of the word is, is, to quote a former President. What IS material anyway. It will be different for each company.
There is a little bit of fairness to this, but mostly it is about figuring out whether they can avoid disclosing a breach. After all, disclosure is bad for the brand, possibly for the stock price, likely for executive bonuses and people might actually decide not to buy new shares or even sell existing shares.
There is an exception when national security or public safety is concerned, but that requires an exemption by a small number of very top level law enforcement folks, likely including the Attorney General and the Director of the FBI in some cases. The DoJ does NOT expect many exceptions to be granted. An example of where an exemption might be appropriate is if the breach was due to a major software bug that has not been patched and which likely can and will be exploited if exposed.
The DoJ has released guidelines regarding the exception process.
I could be wrong, but it seems like companies are concerned that they might not disclose a breach that later is determined is material. The rule says you have to disclose within four days of determining it is material, so that doesn’t seem to create much liability.
Also, the are concerned that they might disclose an incident which later turns out not to be so material.
For the first case, it seems like if they decide sometime after the incident happens that it is material, the clock starts ticking.
In the second case, there is no foul. You don’t get penalized by the SEC if you disclose an event that later terms out is not so material. It does, of course, hurt the CEO’s ego that they told the world that they were compromised. And maybe the stock price for a little while.
But assuming there are a significant number of these disclosures then people will be able to figure out for themselves and with the help of a variety of talking heads, whether something should affect their actions.
Another problem is that most lawyers don’t want to be forced into making a decision before ALL of the facts are known. It is what makes them good lawyers. But, in this case, they will have to do exactly that. That is hard for them to take in.
Of course, it might, possibly, encourage companies to improve their cybersecurity practices so that they can make better decisions more quickly. If it does so, that represents a good outcome.
Credit: Cybersecurity 202 Newsletter, December 14, 2023
by 