Sec's Responsibilities in Cybersecurity Oversight

BIG NEWS! At today's open meeting of the SEC, the SEC Commissioners voted to adopt the SEC's proposed cybersecurity rules on a split three to two vote. While we have yet to see the written rules, here are my initial takeaways from today's meeting:   1. DISCLOSURE TIMING: The SEC emphasized that the disclosure requirement would be four business days from the time that a breach is determined to be "material"--not four days from learning of the breach. The SEC recognized that the determination that an incident is "material" may take some time, in part, because the Company may lack sufficient information to make the materiality determination at the outset. 2. DISCLOSURE CONTENT: The new rule apparently "streamlines" specifically what registrants must disclose about an incident. Now registrants would be required to disclose the material aspects of the nature, scope, and timing of the incident, as well as the incident's material impact or reasonably likely material impact.   3. DELAYED DISCLOSURE: The SEC has implemented a new process for registrants to delay disclosure of material incidents. If the U.S. Attorney General (the AG) determines that disclosure poses a substantial risk to national security or public safety and notifies the SEC of such a determination, the AG would be able to trigger a disclosure delay for an initial period of up to 30 days, followed by a 30-day extension, and a final extension of up to 60 days. The SEC would also consider additional disclosure delays, as requested by the AG. The SEC has apparently worked with AG to set up an interagency communication channel to support rapid extensions. While the SEC didn't mention it, this provision would give registrants an additional incentive to contact the FBI or DOJ soon after learning of an incident.   4. MATERIALITY: The SEC seems to have softened its requirement that registrants disclose immaterial incidents that are nonetheless material in the aggregate. Now the otherwise immaterial incidents must be "related" to each other to require reporting, such as attacks by the same cyber actor, or by exploiting the same vulnerability.     5. BOARD EXPERTISE: While the original proposal would have required registrants to identify any member of the board of directors who has cybersecurity experience and describe such expertise, the updated rules do not contain any such board expertise and disclosure requirements. Instead, the rules require disclosure of the relevant expertise of any members of management or committees that are responsible for assessing and managing registrants' material cyber risks.    6. EFFECTIVE DATE: It sounded like most registrants would be required to file annual reports in compliance with the new rule beginning Dec 15, 2023, with certain smaller organizations filing reports beginning June 15, 2024. The new incident disclosure requirements would go into effect for material incidents occurring after December 18, 2023.  

Well, it's now official. The U.S. Securities and Exchange Commission (SEC) just put out this press release. SEC registrants (any company that files documents with the SEC) must: 1) Disclose any #cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. This is due four business days after it is determined that a cybersecurity incident is material. 2) Describe their processes, if any, for assessing, identifying, and managing material #risks from cybersecurity threats, as well as reasonably likely material effects of risks from cybersecurity #threats and previous cybersecurity incidents. 3) Describe the #board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. The 2nd and 3rd disclosures will be required in a registrant's annual report, due beginning with fiscal years ending on or after December 15, 2023.

New U.S. Securities and Exchange Commission rule adds a significant layer to the security governance landscape for publicly traded companies. Key Elements: —Material Cybersecurity Incidents Disclosure: Companies are obligated to report any material cybersecurity incidents under new Item 1.05 of Form 8-K within four business days following the company’s determination of the incident's materiality. This mandates organizations to quickly assess the severity of any cybersecurity breach and report it in a timely manner. —Annual Disclosure of Cybersecurity Risk Management and Strategy: The new rules, reflected in Item 106 of Regulation S-K, impacts annual disclosures and will require companies to provide more detailed insight into their cybersecurity risk management and strategy, including their processes for managing cybersecurity threats, and whether these threats have had, or are likely to have, material effects on the company. —Cybersecurity Governance: Companies are required to provide further details in their annual reports about oversight of cybersecurity risks by the board and management and how they are managing these risks at different levels of their organizational structure. Key Dates: —December 15, 2023: Companies must make the disclosures required under Regulation S-K Item 106 (and comparable requirements in Form 20-F) about cybersecurity beginning with annual reports for fiscal years ending on or after this date. —December 18, 2023: SEC begins enforcement of Form 8-K disclosure for cybersecurity incidents, other than smaller reporting companies (SRCs). —June 15, 2024: SEC begins enforcement of disclosure for cybersecurity incidents for SRCs. These strict enforcement timelines may put pressure on companies to review their current cybersecurity programs to protect against any vulnerabilities public disclosure may expose, and to ensure compliance with disclosure procedures. Need assistance? Reach out to the Cybersecurity and Data Privacy team at Buchanan Ingersoll & Rooney PC — https://lnkd.in/gyNJQ-PP #cybersecurity #cyberlaw Alison King Alex Keedy BLACKOPS PARTNERS Adrienne Chase, CSW, EJD, CHC, CHPC, CCEP Chris H. Chuck Brooks Dan Lohrmann Kurt Sanger Scott M. Angelo Cyber Security Forum Initiative The Cyber Guild