Balancing cybersecurity incident disclosures has been a challenge for those in the trenches for years. That has not changed, and recent regulatory activity should not alter the challenges breach counsel confront. In short, notification obligations and their triggers have been complex to apply to the events on the ground: When did the company determine there was access or acquisition? Do they know with any level of certainty what happened? And what should be said to regulators, investors, and impacted individuals when the incident response investigation is ongoing to determine what needs to be done, what needs to be reported, and what needs to be said when reporting? Now the SEC has adopted a rule, which becomes effective on December 18, 2023, requiring public disclosure by listed companies within four business days of material cybersecurity incidents. But the FBI already has offered guidance on how victims can request disclosure delays for national security or public safety reasons from the U.S. Attorney General.
The risk landscape is evolving, as we know.
Cyber risk presents itself from various angles—for example, preventing risk from materializing and then appropriately remediating and addressing all identifiable risk in a timely and efficient manner. In mid-November 2023, the ALPHV/BlackCat ransomware group reminded us of threat actors’ creativity when it reportedly filed a complaint with the SEC against a regulated entity alleging that the entity failed to timely report a cybersecurity incident perpetrated by BlackCat itself. In this brazen move, BlackCat illustrated a novel but real risk that threat actors can victimize an organization through whatever available means.
State regulatory requirements remain dynamic.
The SEC’s regulatory updates come as state and federal regulators continue to implement new cybersecurity reporting requirements. As of December 1, 2023, New York State Department of Financial Services (NYDFS)-regulated entities must notify the NYDFS within 24 hours of making an extortion payment; then, within the next 30 days, explain their reasons for doing so, their diligence to find alternatives, and why the payment complies with the Office of Foreign Assets Control’s rules and regulations. These extortion payment requirements are in addition to the existing requirement that NYDFS-regulated entities notify the NYDFS “as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the [regulated] entity, its affiliates, or a third-party service provider.”
As of December 18, 2023, SEC-regulated entities “must disclose any cybersecurity incident they experience that is determined to be material” within four business days of making that determination. The disclosure must describe the nature, scope, and timing of the incident as well as its impact or “reasonably likely” impact. The new rule also requires public disclosure of a registrant’s processes for assessing, identifying, and managing material risks from cybersecurity threats.
These new requirements emphasize the importance of timely identification, investigation, and reporting of cybersecurity incidents by regulated entities. While the NYDFS and SEC rules do not appear to create a direct conflict, such that compliance with one regime precludes compliance with the other, the rules inherently create the risk of inconsistencies. For example, the timing of disclosure to the NYDFS, including around ransom payments, will be critical for purposes of creating a defensible position about the materiality of the risk with respect to the SEC’s requirements. Disclosures to the NYDFS potentially could create an inference of materiality that may start the clock on SEC reporting. Further, while the NYDFS has long required certain cyber risk management processes, those processes may now be subject to public disclosure for certain SEC-regulated entities. Organizations must ensure that the disclosed processes are sufficient for purposes of NYDFS or risk regulator inquiries. Similarly, the FBI guidance is necessary because the SEC disclosure rule, unlike most public breach disclosure rules, permits the U.S. Attorney General—and only the U.S. Attorney General—to make the determination that a delay is necessary. Most breach disclosure rules permit other law enforcement agencies to request a delay in public reporting and disclosure.
All these are risks that threat actors may be able to exploit. They are, after all, uniquely positioned to have direct information regarding the nature, scope, and timing of a cybersecurity incident.
Why this matters
Breach notification laws in the United States typically provide organizations with multiweek periods to publicly disclose data breaches, such as 60 days for breaches of HIPAA-regulated protected health information or 30 days under most state laws. This provides time for companies to investigate and reach reasoned conclusions. By shortening the period to four business days while avoiding “unreasonable delays,” the SEC has ratcheted up the pressure to read, respond and react to a cybersecurity incident that could be potentially crippling for an organization. And for companies that are service providers to organizations in highly regulated industries such as health care and financial services, the new SEC rule upsets the delicate balance between a regulated entity and its vendors.
Companies will have to decide faster and with less information if a material incident occurred. Under the SEC’s new rule, publicly listed companies must disclose a material cybersecurity event within four business days after the company determines it occurred. A “cybersecurity event” is “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The SEC’s inclusion of “a series of related unauthorized occurrences” makes clear that materiality for this purpose should be considered holistically, not individually. That materiality determination is to be made, according to the instructions, “without unreasonable delay.” This, the SEC explains, avoids pressuring companies to draw conclusions with insufficient information—yet given the stakes, companies will still have to act quickly and under newly imposed pressures. For example, a very typical scenario presents remarkable challenges. Imagine an entity makes a nonmaterial extortion payment. It reports the payment to the NYDFS but does not yet report the matter to the SEC or the investing public as it works to determine whether the matter is in fact subject to the SEC’s new disclosure requirements. And once that part is done, the entity then has to explain to the NYDFS its reasoning for making the payment and determine again whether the facts and circumstances around the payment or that reasoning is material and requires disclosure under the SEC rule. The timing of when those determinations were or should have been made may come under immense scrutiny by regulators and litigants alike.
But materiality, for purposes of federal securities law, can be a complicated concept to apply to cyber risk or cyber incidents. It is measured from the perspective of a reasonable shareholder and can be measured both qualitatively and quantitatively. In a world where shareholders may lack the necessary perspective about how bad a given cybersecurity incident is—the investing public, and indeed the public at large, may be unaware of the daily extent of cyberattacks on U.S. companies—publicly listed companies may consider erring on the side of assuming materiality to avoid facing distracting litigation over the timing and content of their disclosures. Litigious shareholders may assume and assert that the company should know immediately upon discovering that an incident occurred that the incident is material and requires disclosure. That is not true, and it assumes that hindsight is always 20/20. It takes time for a company to assess the scope and impact of an incident on its operations and systems. But a shareholder facing a loss on their investment and rushing into court may not know or care.
The SEC disclosures will be an easily searchable “wall of shame” for public companies. The new rule requires these cybersecurity incident disclosures to be coded as Item 1.05 disclosures. Like the wall of shame of breaches of HIPAA-regulated entities impacting at least 500 individuals, these disclosures will be an easy source for the plaintiff’s bar to identify potential lawsuits. An RSS feed of new filings will assist plaintiffs’ lawyers.
Companies will have to disclose more details about their cybersecurity programs that can then be second-guessed if an incident were to occur. In addition to the cybersecurity incident notification obligation, the rule requires disclosure of additional information about companies’ approach to assessing, identifying, and managing cybersecurity risks (even if this is something companies have already broadly described), and those details will be sources of risk when companies’ processes are second-guessed as they come under pressure following a cyberattack.
Public companies servicing highly regulated entities will face new tensions about security incident reporting obligations that each directly have. In addition, the SEC’s new rule impacts the delicate balance between organizations in highly regulated industries like health care and financial services and their vendors, many of which are publicly traded entities themselves. Under current federal law, the vendor typically reports to the regulated entity, and the regulated entity then makes public notice. The same is generally true of state breach notification laws, which typically require an entity that holds personally identifiable information that it does not own or license to notify the entity that owns the data, and that entity then controls decisions around making notifications.
The new SEC rule challenges that approach. Now vendors, if publicly listed, may have their own public breach notification obligation. If a publicly listed vendor decides that a cybersecurity incident is material to its business and thus disclosure under the new SEC rule is required, it may effectively force a regulated entity/customer into disclosing a security incident that the customer otherwise may not have reported under state or federal law (like the NYDFS regulation or HIPAA). This will need careful lawyering and assessment.
Consider this, in the HIPAA context: A publicly traded business associate discovers evidence that a threat actor accessed certain files on a cloud server storing client data. The business associate conducts a quick investigation, reflexively decides that the access constitutes a material impact (e.g., because the threat actor might have been able to access other files) and discloses it under the SEC rule. If the HIPAA-regulated covered entity has HIPAA-regulated protected health information stored on that server, does the business associate’s decision about what the evidence and artifacts show effectively foreclose the covered entity from reaching its own conclusion? And if it can come to a different conclusion, does that create new legal risks? The converse may be true too: Under the amended NYDFS regulations, a NYDFS-regulated entity is required to notify the NYDFS within 72 hours of a cybersecurity incident at a third-party service provider in certain circumstances. If the NYDFS-regulated entity decides that a cybersecurity incident occurred at its publicly listed service provider and reports it to the NYDFS, can the service provider still determine that the event was not material to it?
The solution will require that regulated entities and the publicly listed companies that are their vendors work together proactively to agree on how to handle security events at the vendor level. This way, they can (hopefully) agree in advance on an allocation of authority that satisfies the both parties’ reporting obligations without upsetting the delicate balance.