Podcast - SEC's Oversight on Cybersecurity Requirements

Morgan Ribeiro: Welcome to "Counsel That Cares." This is Morgan Ribeiro, the host of the podcast and a director in the firm's Healthcare Section. Today, we are continuing our digital health series with a discussion on the shifting oversight by the SEC on cybersecurity requirements. For this conversation, I am joined by Bess Hinson, a partner in the firm's Data Strategy, Security and Privacy Practice. Welcome to the show.

Bess Hinson: Thank you for having me, Morgan. I'm happy to be here.

Morgan Ribeiro: Awesome. So before we get into the meat of our discussion, which I think there's a lot for us to discuss and to describe to our listeners, can you just tell our listeners first more about your practice and your background?

Bess Hinson: Absolutely. So I'm a privacy and cybersecurity partner in Holland & Knight's Atlanta office, and the focus of my practice is cyber and data risk management, as well as governance of those risks related to data, breach readiness and response, crisis management, and I also handle global data privacy compliance for various industries, including the healthcare sector. In addition, I'll oversee and coordinate compliance assessment and implementation programs for clients as they relate to HIPAA, the California Consumer Privacy Act and other U.S. state privacy laws, the European Union's General Data Protection Regulation. And I also advise clients in various industries on information governance, online advertising, consumer policies, as well as website and mobile application policies and vendor management. One of my specialties is really coaching clients when they have a security incident or data breach, help them to navigate investigations into those breaches, the notification requirements and managing privacy class action risks.

Morgan Ribeiro: Excellent. That is super helpful, and this is obviously a digital health related conversation. And I know you mentioned in the description of your practice that you do a lot of work with healthcare organizations or healthcare-related matters. What are you seeing as it relates to cybersecurity with healthcare organizations, particularly providers and payers?

Cybersecurity in the Healthcare Space

Bess Hinson: Sure. So first of all, I see increased risk and frankly, significant vulnerabilities as it relates to cyber attacks. Cybersecurity isn't just an IT issue, it is a patient safety issue, it's an enterprise risk issue and a strategic priority. The changes in the healthcare sector, particularly as it relates to digital health, has integrated the universal, nearly universal adoption of electronic records, and as a result, that adoption makes healthcare a ripe target for cybercriminals. The targeted data of cyber criminals includes patients' protected health information, or PHI, financial information like credit card and bank account numbers, Social Security numbers and also intellectual property related to medical research and innovation. As our listeners may have heard in the news, many healthcare systems have been targeted in ransomware attacks or their third party service providers. And digital health vendors have been caught up in ransomware attacks that immediately go to the operations of the healthcare system or digital health provider because when a ransomware attack occurs, typically the cybercriminals encrypt all of the data on the systems that are being used and then hold that data hostage, as well as hold your access to all of your hardware and software hostage until you pay a very large sum. And by large sum, I mean in the tens of millions of dollars, so that is a huge risk, and because we are so dependent upon various providers, many of our clients have recently expanded their business into digital health, including telemedicine. They're partnering with new companies and organizations, including hospitals and medical clinics. Everyone is interconnected. And so cyber criminals access our IT networks and systems, and that connectivity can be caught up in an attack such that many different parties are impacted. The second concern that I see an impact on healthcare organizations relates to just further adoption of tech-enabled services, in part because the adoption of those services exposes the healthcare industry to privacy claims that extend beyond our traditional understanding of HIPAA. The plaintiffs attorneys bar have become more and more active and have developed quite novel claims in lawsuits. For instance, data privacy lawsuits have just recently exploded in the digital health and healthcare sectors due to the use of web trackers on healthcare-related or digital health websites and mobile apps. You know, most specifically, those lawsuits have focused on the use of the meta pixel on a website or in an app or other platform that's being used. There have been lawsuits filed against medical centers where they allege that the meta pixel is picking up PHI about patients on these sites and these platforms, and then sharing that with Facebook without patient permission, and that's a HIPAA violation. We're also seeing just a lot of activity by regulators. So we're going to focus on the SEC today, but I want to give you one other example. The Federal Trade Commission recently entered into a settlement with a fertility application known as Premom, and that settlement relates to sharing of personal information that occurred when SDKs were installed in the app. And those SDKs shared user data with Google, AppsFlyer, some other providers. And as a result, the FTC alleged that the parent company of Premom breached the health breach notification rule and the FTC Act, resulting in a quite burdensome consent decree as well as a $100,000 civil penalty.

The changes in the healthcare sector, particularly as it relates to digital health, has integrated the universal, nearly universal adoption of electronic records, and as a result, that adoption makes healthcare a ripe target for cybercriminals. 

Morgan Ribeiro: I think to your point too, I mean just going back to your, I think kind of earlier on in your comments around these healthcare organizations, I mean, these are crippling events not only for a provider, particularly if you're a sole community provider or one of the few providers in your community. I mean, if something, an event like this happens, one, not being able to provide the care, I mean, if your systems are shut down or locked down, which can often happen in these ransomware attacks, but then also the financial impact, I mean, to be able to pay that amount of money, it's a big deal. And so I think, you know, obviously a lot of what I think the counseling that you do is sort of that front end of how do you even avoid these situations from happening in the first place. And it's a lot I mean, I think it's a, it's a constant evolution and learning curve, and it feels like just right when you feel like you've kind of trained up your team, there's another sort of element to these cybersecurity issues. So as you mentioned today, we're really looking at the SEC's oversight on cybersecurity, and Gary Gensler, who is the chair of the SEC, has given numerous speeches in recent years calling for greater oversight of publicly traded companies, in particular, and their cybersecurity efforts. And then in March of last year, in 2022, the SEC issued a proposed rule amendments that would mandate certain cybersecurity disclosures for public companies. So the finalized rule amendments, we're expecting that in April of this year, 2023, we're still waiting on that. That could happen any day now, but can you tell us more about the proposed rule?

A Look Inside the SEC's Proposed Rule

Bess Hinson: Absolutely. So the SEC has proposed just a broad suite of new cybersecurity rules for public companies, as well as other specialized covered entities under the SEC's, their purview and oversight powers. So if adopted, these new requirements would impose significant new costs and enforcement risks for public companies. SEC wants businesses to have a mature framework for cyber risk. They want businesses, including healthcare organizations, to plan for periodic updates of their cybersecurity programs, including performing regular cybersecurity risk assessments and disclosing cyber incidents to the SEC and other authorities within an incredibly short time frame, as soon as four days, right, which is really nothing when you're in the midst of trying to investigate and determine the impact of a cyber attack. So also, the rule would require organizations to include updated disclosures in Forms 10-K and 10-Q and disclosures related to their risk oversight policies and procedures. And the reason why that's so important is a lot of organizations have some written policies and procedures, but they may not be all that detailed or they may be in the process of being developed, right, but here you're going to be required to actually detail precisely what type of program, including written policies and procedures you have. And, you know, there's a question in my mind of, these are public disclosures, are cyber threat actors going to go through them and begin to understand the maturity of the programs and develop their target list accordingly? So there's a lot to consider.

So if adopted, these new requirements would impose significant new costs and enforcement risks for public companies.

Morgan Ribeiro: So I still find it surprising we don't have a federal breach notification law right now. So it's only state by state. Can you tell us what is the proposed rule's minimum standards for breach notifications?

Bess Hinson: Sure. So the SEC is proposing to amend Form 8-K to require all registrants to disclose information about a material — and I say material in quotes, because it is a defined term in these proposed rules — cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. So there might be some wiggle room in that, companies need a little bit of time to determine if it's going to have a material impact on the business, but four days is very short, and when you compare that to current reporting requirements, such as in our state breach notification laws, you know, in that set of statutes, really notice to individuals is required within about 30 days, 45 days. The same is true for regulators, although some regulators require notice within 14 days. And then, you know, under HIPAA, your notice to OCR is no later than 60 calendar days. So we're going to, for healthcare organizations, we're going from sort of a 60 calendar day requirement down to four business days, so that is a significant change, and it requires organizations to think very carefully about their incident response plan and also the timeline for escalation of discovery of the incident to leadership and also to legal so that decisions can be made within that short four business day timeline about whether or not, you know, a Form 8-K needs to be filed.

Morgan Ribeiro: OK, and then some of the requirements reflect what some industries already consider best practices, but it certainly has more bite to it because it's enforceable now. Can you tell us more about what you know about the enforceability of this and how does that actually play out when we talk about enforcement?

Bess Hinson: Sure. So to start, understand these new requirements would greatly increase the SEC's management of regulated entities approach to cybersecurity and system integrity. The SEC's oversight of that has really just been developing in recent years, and current SEC regulation is really targeted at certain risks, such as protecting customer information under Regulation S-P, or preventing identity theft under Regulation S-ID, and it's focused on select market participants of significant market importance, such as entities covered by regulation SCI. So these proposed rules really bring under the umbrella, right, of the SEC's focus. Everyone, just a much larger portion of public companies in that the SEC is now dictating the precise elements required for a comprehensive cybersecurity program. And for the first time SEC mandated incident response reporting requirements. So just to give you some context here, it was only in 2022 that the SEC really took steps to begin to protect investors from significant cyber incidents at public companies. To start, in May of 2022, the SEC nearly doubled the size of its Enforcement Division's Cyber and Crypto Assets Unit. You know, we've not really seen the full impact of that newly sort of strengthened unit, but we're starting to see signs of their activity. For instance, over the past year, the unit has brought enforcement actions against several SEC regulated entities for failing to maintain adequate cybersecurity controls and failing to disclose cyber-related risks as well as cyber incidents. And part of the violations that the SEC has alleged against these companies include failure to adopt written policies and procedures that protect customer records and information. So SEC is very focused on this concept of written policies and procedures that are thoughtfully created and tailored to the business holding that information. A few other examples of enforcement actions. We've seen many more charges, fines and settlements from the SEC in recent years related to cyber. For instance, in July of 2022, the SEC charged JPMorgan Securities and UBS Financial Services and TradeStation Securities for deficiencies in their cybersecurity programs, and ultimately the penalties ranged from $425,000 to $1.2 million. Then in September 2022, the SEC ordered Morgan Stanley to pay $35 million for failing to appropriately protect the records and information of customers, including their personal information. And another trend that has arisen that I think is frankly somewhat alarming, and yeah, I think we want to be concerned about this as we are engaging and hiring information security professionals in the C-suite and understand the risk they are taking on professionally. For instance, SolarWinds, who had a massive data breach several years ago, but they recently disclosed that the SEC notified top executives of legal action related to that data breach. And one of the executives to receive that notice was the chief information security officer. And this might have been, I believe, is the first time a CISO has ever received one of these, just not customary that a CISO would be held accountable for decisions that were made, right, at a public company. So that's an indication that the SEC is really focused on who you have in leadership over your information security program. Who's going to the bucks, who does the buck stops with. When we think about information security and this SolarWinds sort of notice follows behind a criminal sentencing of Uber's former chief security officer related to his involvement in a cover up of a 2016 cyber attack at the company, and that conviction was unprecedented and also caused alarm in the cybersecurity world. So I think those actions really underscore just how seriously the SEC is taking this.

So SEC is very focused on this concept of written policies and procedures that are thoughtfully created and tailored to the business holding that information.

Morgan Ribeiro: Kind of piggybacking on that, company boards are also bracing for new SEC cybersecurity regulations. The rule would also require an annual report on corporate boards, cybersecurity expertise. So who's sitting on the board that has this area of expertise? Can you talk more about the role of boards and cybersecurity, and how they should go about identifying those with this area of expertise?

The Role of Corporate Boards and Cybersecurity

Bess Hinson: So the proposed rule is dictating that public company boards have a board member with cybersecurity expertise. And the reason this is so interesting to me is for over a decade now, we have had a shortage of cybersecurity professionals in the United States and throughout the world. Now, that's due in part to the fact that this is a relatively new field, and schools and universities only in recent years have begun to develop programs and certificates and degrees in cybersecurity and information security and related fields. But I think that public boards are really going to struggle to identify those experienced professionals, and it's going to be incumbent upon them to find those individuals and then develop sort of the appropriate committees to exercise oversight. Now, that's not to discredit the work boards have been doing to really learn and become educated about cyber risks and their work and liaising with existing security officers within their organizations, but I think boards historically have really struggled to understand the threat landscape. It's a fast-moving and evolving area and involves a lot of very new and recent technology that is a lot to keep up with, and I think boards sometimes will look for scapegoats right after a major incident as opposed to saying, OK, this was really a part of our oversight responsibility at the organization. But, you know, we do see some signs that boards are starting to incorporate at least one cyber expert, so that's good. And many of the very largest publicly traded companies do now have a former CISO or chief technology officer or government official on their board to help fill in those gaps. And I do think CISOs themselves have gotten better at communicating the threat landscape to their boards just through regular reporting opportunities so that boards and the C-suite can just be prepared for incidents and increased scrutiny that may come from the SEC and other regulators.

But I think that public boards are really going to struggle to identify those experienced professionals, and it's going to be incumbent upon them to find those individuals and then develop sort of the appropriate committees to exercise oversight.

Morgan Ribeiro: And so I know there may not be any hard data on this, but just your sense of sort of the current landscape, are most companies prepared for these changes?

Bess Hinson: Yeah, that, that's a great question. You know, in some ways, the maturity of a cybersecurity program, one, it's never mature enough. We are always having to reassess new threats, new vulnerabilities that exist and software that is used almost universally by organizations as we await for certain tech companies and software developers to issue a patch. Threat actors are working to exploit those vulnerabilities and issues before they can be fixed. And so I think that cybersecurity programs are certainly top of mind for general counsel and legal departments, and are also becoming more top of mind for other members of the C-suite, particularly when they have the luxury of resources to support such a program. I still worry that there are some organizations that are in growth mode. And there might be corners that are being cut, which frankly can create significant risk and diminished value for the business. You know, as the company grows and looks to continue to invest or raise funds for their growth. But I do want to comment on the healthcare industry. I do think that the healthcare sector may be at an advantage because for so long they have been required to address HIPAA security standards and have built out programs that speak to and comply with HIPAA compliance security program. But it's important for healthcare organizations to understand that the HIPAA security program alone is not enough, given what the SEC is dictating. The SEC is wanting you to develop and have in place a mature security program that applies not only to HIPAA-covered information, but all of the other personal information that the business is collecting, as well as your entire IT network, software platforms and just digital systems that are supporting your business operations.

We are always having to reassess new threats, new vulnerabilities that exist and software that is used almost universally by organizations as we await for certain tech companies and software developers to issue a patch.

Morgan Ribeiro: So I guess just more generally, you've talked about the healthcare entities and kind of their position, and this is all under the assumption that this rule goes into effect. It seems like things are heading in that direction or at least we will have an answer to that soon, but what steps can companies take now to prepare, assuming that this all does go into effect?

What Steps Can Companies Take to Prepare?

Bess Hinson: Sure. So I think it's very important for companies to take a step back and really think critically about what regulations apply to them and the varying reporting standards and responsibilities they have. So now I was just talking about the HIPAA Security and Privacy Compliance program versus your overall security compliance program, and the HIPAA standard, for instance, reporting out on a data breach. You're going to be concerned about that 60-day deadline, but the SEC standard is going to be four days. So you need your policies to speak to both requirements and the revamping or the modification of existing policies so that everyone knows what to do when there is an incident to report. That’s going to take a lot of work. And we’re already into 2023. These rules are likely to go into effect soon. I’m not sure all businesses have budgeted for these changes. So now is the time to really think carefully about what budget is needed going into the next year so that to the extent you are not in compliance, you are ready to really kick off that process in January, if you can’t do so sooner. I think it’s important to review if you haven’t done so already, just your current information security preparedness and any cybersecurity assessments that have been conducted recently, whether those assessments are against the ISO standard or NIST standard, and see what gaps exist, what medium risk gaps exist, or high-level risk gaps exist, where can you put those risks and gaps on your roadmap so that you can remediate those issues sooner rather than later. Businesses have information technology policies, disaster recovery plans, business continuity plans. How confident are you in the level of detail in those plans, and how confident are you that your teams can execute on those plans? I mean, if you are not operational tomorrow because all of your devices and systems are locked up due to a ransomware attack, how long is it going to take you for your teams to restore all of those systems, recover your data backups and be back to business? Because every day that your systems are locked up, you're not doing business, you're losing money. You know, I think it's really important to ensure that internal teams that have responsibility for these public disclosures, for incident response, know how to communicate effectively, right? You've designated a point person within different stakeholders in the company who will communicate among teams because the SEC is likely to take action if a company fails to report a breach in a timely manner. It's just a very bright line in these proposed rules. Testing of policies and procedures is key. If your C-suite has not gone through tabletop exercise, which is when we pretend there's been a cyber attack and your executives are forced to make decisions very quickly, you know, think about holding one of those with your outside counsel or another consultant being involved. And, you know, I think that businesses can also just begin to strategize, perhaps with their internal communications teams or PR teams around and go, "OK, if we had to file a disclosure about a material cybersecurity incident, what type of other language would we use externally, how would we respond to media inquiries and requests related to that disclosure," so that you're prepared. Again, with that four-day time window, no one is going to have a lot of time to sit around sort of drafting PR comms responses. So it's important to just go ahead and have some template language ready.

So I think it's very important for companies to take a step back and really think critically about what regulations apply to them and the varying reporting standards and responsibilities they have.

Morgan Ribeiro: All of those are very good tips. And I know, just kind of wrapping things up in terms of the proposed rule, the comment period has ended and we expect it to be finalized this summer. And so at this point, we're just kind of in a wait and see mode. But companies should prepare and, you know, take a lot of the advice that you just provided. Anything else in terms of timing and next steps that you can provide?

Next Steps and Closing Comments

Bess Hinson: Yes. So the proposed rule would require companies to provide updates on previously reported cybersecurity incidents. So if you're not sure what cybersecurity instance you've had in the past or you don't have a method to record those incidents and the details, you go ahead and institute that process because that is going to be a piece of these new reporting requirements. I also think, you know, figure out who you're going to consult with in terms of legal counsel, either internally or externally, when preparing those disclosures so you know that they are ready to help you on a short timetable. I think that’s significant. I also think that organizations should consider the fact that the SEC’s recent moves really reflect an understanding at the SEC that massive data breaches can affect a company’s stock price or value. So you may want to think back to the Colonial Pipeline attack, right, when we were all lining up for gas and it wasn't available. I mean, those are systemic attacks that just don't impact those companies. You know, the same is true in a healthcare organization. You think about a hospital. If a hospital serves a particular community and has the only ER within 60 miles, 120 miles, and they then are subject to a ransomware attack and cannot operate or access medical records, they're having to turn patients away. And so these events have impacts that stretch beyond this idea of just reporting a breach or issuing a notice to affected persons because data was impacted. You know, these events impact the ability for basic services to be provided, which can really have a devastating effect on a business's value and frankly, just on human life.

 I also think, you know, figure out who you're going to consult with in terms of legal counsel, either internally or externally, when preparing those disclosures so you know that they are ready to help you on a short timetable. I think that’s significant.

Morgan Ribeiro: Absolutely. Well, thank you for that. And any wrap up comments before we close out?

Bess Hinson: No, it's been a pleasure to speak with you, Morgan, and I hope that our listeners have gained some insights and I hope they know that we, at Holland & Knight, are here for them. If they ever have any questions, we'd be happy to assist.

Morgan Ribeiro: Yeah. I mean, it truly, really is, as we talked about earlier, an evolving landscape. I know it's a lot to keep up with, and I think, you know, having resources like you to be able to just kind of break it down and really define it in a step-by-step way of how to prepare, and then if an incident does happen, you know how to respond to those, you know, and keep up with both the federal level policy and oversight, as well as the state by state applicable law. Appreciate your time today and look forward to further conversations.

Bess Hinson: Sounds good. Thank you, Morgan.