SEC Cybersecurity Rules: Considerations for Incident Response Planning
- New Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules (Final Rules) adopted by the U.S. Securities and Exchange Commission (SEC) become effective Sept. 5, 2023.
- In light of the new rules, public companies should immediately review disclosure controls, procedures and processes to ensure that cybersecurity incidents are promptly reported to appropriate personnel who are responsible for public disclosures under applicable securities laws.
- This Holland & Knight alert offers public companies high-level considerations regarding compliance with the Final Rules and other cybersecurity incident and data breach notification obligations.
The new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules (Final Rules) adopted by the U.S. Securities and Exchange Commission (SEC) were published in the Federal Register on Aug. 4, 2023, and become effective Sept. 5, 2023. (See Holland & Knight's previous alert, "SEC Finalizes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies," July 31, 2023.) Consequently, all public companies (including foreign private issuers (FPIs)) other than smaller reporting companies (SRCs) must begin complying with the cybersecurity incident disclosure requirements in newly added Item 1.05 of Form 8-K and in Form 6-K on Dec. 18, 2023, and SRCs must begin complying with Item 1.05 of Form 8-K on June 15, 2024.
Notwithstanding that the new cybersecurity incident disclosure requirements are not yet effective, that does not mean that material cybersecurity incidents should not be reported in the interim. On the contrary, prior SEC guidance still requires public companies to disclose material cybersecurity incidents. Moreover, the final rules may be viewed as providing a framework of the SEC's expectations regarding the substance and timing of cybersecurity incident disclosures.
Public companies should promptly review and, if appropriate, amend their disclosure controls, procedures and processes to ensure that cybersecurity incidents are timely reported to personnel who are responsible for determining whether to make public disclosures under applicable securities laws. In addition, incident response plans should be reviewed to ensure that cybersecurity incidents are appropriately documented and investigated, escalated to the incident response teams and timely assessed for materiality and regulatory disclosure obligations.
This Holland & Knight alert provides high-level considerations for public companies regarding compliance with the Final Rules in addition to numerous other cybersecurity incident and data breach notification obligations.
Internal Disclosure of Potential Cybersecurity Incidents
Companies may learn of potential cybersecurity incidents through a variety of means. For instance, cybersecurity detection and monitoring software programs may send a notification alert related to anomalous activity,1 an information technology (IT) or information security (IS) employee may observe abnormal activity in the network, an employee may report clicking on a suspicious link in a potential phishing email, or a third-party vendor may inform the company's contracting officer that the vendor experienced a data breach.
Companies should identify the appropriate personnel to handle the initial investigation of a potential cybersecurity incident. In addition, companies should review their internal reporting and notification processes to ensure potential cybersecurity incidents are reported to the appropriate department and/or individuals so that a prompt investigation is conducted.
Incident Investigation and Analysis
Given the tight reporting deadlines under the Final Rules, companies may want to establish protocols within their cybersecurity incident response plans for prioritizing and investigating potential cybersecurity incidents. The personnel responsible for the initial investigation should be required to document the potential incident and preserve records, logs and relevant artifacts related to the potential incident. Far too often, initial responders immediately engage in eradication and remediation activities that destroy valuable evidence needed for a more thorough forensics investigation. This can negatively affect a company's notification obligations and materiality assessment. Instead, preserving the necessary evidence can assist companies in conducting a thorough forensics investigation that will inform the incident response team's analysis regarding the company's notification obligations.
Upon verification that an actual incident exists, the incident response plan should establish criteria to escalate the incident to senior IT/IS managers and to the incident response team. The plan should require the initial investigators to assess the potential impact of the incident, streamline reporting of known and relevant information about the incident, and identify additional investigative steps and potential containment strategies. In addition, the procedure to notify the incident response team should identify essential information that needs to be communicated to the team.
Incident Response Team
The incident response plan should identify all appropriate members of the incident response team. The incident response team should consist of relevant personnel from IT/IS, senior legal and business units. Some additional stakeholders may be necessary based on the type of incident involved and the nature of the company's operations. For instance, insider threat incidents may require personnel from human resources, and consumer-facing companies may need input from their public relations staffs.
The plan also should establish the roles and responsibilities of the incident response team, when outside counsel should be engaged and when outside counsel should engage a third-party forensics team to conduct a privileged investigation, as well as provide guidance on the various notification obligations. Crucially, the plan should establish criteria to promptly notify senior executives of the cybersecurity incident and to escalate incidents for a materiality assessment and determination. The plan should also contain criteria for senior executives to notify the board of directors where warranted by the magnitude of the incident.
Because companies are required to file an Item 1.05 Form 8-K within four days after determining that a cybersecurity incident is material, the Form 8-K filing will often be the first public notification of the cybersecurity incident and may precede individual data breach notifications. Thus, companies may want to consider revising their plans to establish criteria for communications with internal and external stakeholders. The strategic handling of external and internal communications will be critical to managing the concerns and expectations of investors, management, employees and consumers.
Regulatory Notification Chart
Companies may want to consider developing a regulatory notification chart as part of their incident response plans. Over the past several years, regulators across nearly all industries have mandated cybersecurity incident notifications. As a result, companies are now subject to several notification regulations with varying notification periods. For example, a publicly traded financial services company may be subject to the following regulatory notification laws and reporting time periods, among others: 1) OCC/FDIC/FRB's joint Computer-Security Incident Notification rule (36 hours), 2) Cyber Incident Reporting for Critical Infrastructure Act (72 hours for cyber incident and 12 hours for ransomware payment),2 3) New York Department of Financial Services (NYDFS) Cybersecurity Regulations (72 hours and proposed regulation to require 24 hours for ransomware payment), 4) SEC Cybersecurity Rules (four days), 5) Gramm-Leach Bliley Act (GLBA) Safeguard Rules (as soon as possible), and 6) various state data breach laws (30/45/60 days or as expeditiously as possible and without undue delay).3 These laws also do not account for contractual notification obligations to clients and customers.
Developing a chart as part of the incident response plan that identifies the company's notification requirements can ensure that notification obligations are appropriately assessed and met. For companies that already maintain such a chart, it should be revised to include incident reporting under the Final Rules.
Materiality Assessment Team
The Final Rules require that companies must determine the materiality of a cybersecurity incident "without unreasonable delay." Accordingly, companies may want to consider developing a separate team to assess the materiality of cybersecurity incidents. The materiality assessment team may very well overlap with and contain other members of the incident response team. Because materiality is to be determined under long-standing securities law principles, securities attorneys and senior executives who are experienced in making materiality assessments should be included, along with members of the incident response team who can provide critical technical and substantive information regarding the incident, as well as its nature and potential magnitude.
In addition, companies should establish criteria and procedures for assessing materiality. These processes should ensure that cybersecurity incidents are appropriately escalated from the incident response team, assessments are handled consistently with other enterprise risks, materiality assessment team activities are appropriately documented and materiality determinations are shared with senior executives and, as warranted, board members.
These considerations are intended to highlight some of the features of a robust incident response program in light of the Final Rules. They are not, however, intended to be an exhaustive list, and each public company will be required to engage in thoughtful consideration of the various processes and procedures that may be necessary and appropriate within the context of its operations, business and regulatory environment.
Holland & Knight's Data Strategy, Security & Privacy Team can readily assist with designing incident response programs that address the challenges created by the incident reporting requirements under the Final Rules.
1 The final rules define a cybersecurity incident as "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."
2 This law is still awaiting the promulgation of rules by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to become effective; however, the financial services sector is one of 16 critical infrastructure sectors and is anticipated to be affected by this law.
3 This is not an exhaustive list of applicable notification laws for financial services companies. For example, money services businesses have other reporting requirements. In addition, the list does not include overseas jurisdictions such as the General Data Protection Regulation (GDPR) or United Kingdom GDPR. Some overseas jurisdictions require rapid notification. India, for example, requires notices within six hours of learning of a cyber incident.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.