Published by Christopher Pogue on 16 October 2023
The new Security and Exchange Commission (SEC) rulings on cybersecurity incident reporting go into effect on December 18, 2023. The two sections of Code of Federal Regulations Title 17, which are garnering considerable attention, involve the reporting of an incident to the SEC and illustrating a reasonable risk management strategy.
The ruling requires organizations to report the cybersecurity incident to the SEC via form 8k within four business days of determining whether or not the incident represents what a reasonable shareholder would determine to be material, unless otherwise determined by the US Attorney General to have the potential of adversely impacting national security or public safety.
This language is undoubtedly intentional, providing organizations with some leeway to determine what is material and what is reasonable. Regardless, breached organizations are now compelled to report the incident in a timely manner, with as much information about the event is available at the time of reporting.
The second area drawing the attention of executives and boards is the requirement to describe the organization’s cybersecurity risk management and strategy. This is defined in 229.106 as (emphasis mine):
(1) Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(i) Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
(ii) The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
(iii) Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
There are many factors influencing these decisions, such as a fundamental linguistic difference between the CISOs and the rest of the executive team and board, poor or adversarial communications between cybersecurity professionals and non-technical executives, a failure by cybersecurity executives to adequately align the risk to the organization’s risk appetite, and a laisse-faire approach to cybersecurity (the ‘let’s wait and see’ approach), hoping against hope that a breach won’t occur.
With a breach now occurring, on average, every 39 seconds, failing to adequately prepare for a cyber incident is unreasonable at best and irresponsible at worst. To succinctly articulate the risk profile introduced to the business, the onus is on cybersecurity professionals to do a better job learning the risk language being spoken by CEOs and boards as well as translating how cybersecurity posture aligns with the existing risk register and appetite.
The SEC ruling has moved the needle from making these things best practice to government mandated requirements. The imperative to do better has never been more prominent.
Looking at a recent example
In a recent example, on October 5, 2023, MGM entertainment group filed form 8k with the SEC to address their September 12th cybersecurity incident. The 8K was filed 23 days after the incident was identified. This filing failed to meet the 4-day deadline imposed by the new ruling. This raises some questions:
- Does this mean that reporting without reasonable delay will be interpreted as 30 days or less?
- Was the delay due to the fact that the ruling has not officially been implemented, or did it take MGM 19 days to determine materiality, and then they reported four days later?
We will have to wait and see what happens after December 18 to understand how diligently the SEC is going to hold the line.
According to their 8K report MGM states
“The Company does not expect that it will have a material effect on its financial condition and results of operations for the year. Specifically, the Company estimates a negative impact from the cybersecurity issue in September of approximately $100 million.”
“The Company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors. Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined.”
This brings up an interesting point, if MGM doesn’t determine $110M to be material, what measurement will be used by organizations that have suffered a breach? Will it be a specific dollar amount? Will it be a percentage of annual turnover? Will it be whatever the breached organization’s CEO, CFO and board think it is? While these are questions that won’t be answered until more breaches are made public after December 18, they are likely to be a hot topic of conversation in upcoming board and shareholder meetings.
In their article in the National Law Review, Sheila Milar and Tracy Marchall state, “The SEC did not define or provide examples of what constitutes a “material” cybersecurity incident but stated that “materiality” will be consistent with applicable case law. (The standard for materiality was established by the U.S. Supreme Court in TSC Industries, Inc. v. Northway Inc., 426 U.S. 438 (1976): “there must be a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”)
What does this mean for private companies?
While the discussion here is well and good for publicly held companies, many critiques have been focused on the fact that these rules don’t apply to privately held companies. While that may sound reasonable (there’s that word again), it’s not entirely accurate.
In Part 2 of this blog post, I will cover what the SEC ruling could mean for privately held companies and introduce the precedent that they set in September of this year, issuing a $225,000 fine to a privately held company that violated the Dood-Frank Whistleblowing ruling.