Communicating with the SEC When Your Organization Suffers a Cybersecurity Incident

Haimavathi Marlier and Michael Birnbaum are Partners at Morrison & Foerster LLP. This post is based on their Morrison & Foerster memorandum.

If there was ever doubt before, the Securities and Exchange Commission (SEC) has made clear—through two proposed rules related to cybersecurity, enforcement actions, public statements, and a beefed up “Crypto Assets and Cyber Unit” within the Division of Enforcement—that it expects public companies and registered entities to promptly assess the materiality of cybersecurity incidents and make swift disclosures of material incidents. In particular, if adopted, the SEC’s proposed cybersecurity disclosure rule for public companies states that issuers will have to disclose, via Form 8-K, material cybersecurity incidents, including any impact on business operations, within four business days of their determination that the incident is material.[1] And, if adopted, the SEC’s proposed cybersecurity risk management rules for registered investment advisers (RIAs), registered funds, and closed-end companies state that these registrants must report “significant cybersecurity incidents” to the SEC within 48 hours of discovery.[2] Final action on these rules is expected in April 2023.[3]

As it determines the materiality of a cybersecurity incident, an organization must also decide whether to report the incident to the SEC in advance of any public disclosure and whether to cooperate with any ensuing SEC inquiry or investigation. On the one hand, proactive reporting of likely material cybersecurity incidents can build goodwill with the SEC and make clear from the outset that the organization is thoroughly investigating the incident. On the other hand, informing of the SEC of immaterial incidents could expose the organization to expense, business disruption, and unwanted SEC scrutiny, particularly into the organization’s cybersecurity-related internal controls.

Here are four considerations in-house counsel should keep in mind in determining whether to proactively inform the SEC about a cybersecurity incident before making a formal public disclosure.

1. Open a dialogue with the SEC if early incident investigation indicates that the incident is probably material or significant.

Many public companies and registrants are near-daily victims of immaterial cybersecurity incidents. It would be a mistake to report every phishing scam your organization suffers to the SEC. That said, cooperation benefits can inure to your organization if you engage with the SEC early on regarding incidents that are likely material or significant.

There is a misconception that issuers and registrants should only notify the SEC about a data breach after they have completed their investigations into the breach. For incidents that are likely to be deemed material or significant, the SEC values being notified promptly about a data breach, even when a reporting company is still sorting out what happened and whether the breach is material. Indeed, a reporting company is less likely to get SEC cooperation credit for working with the agency in the post-breach investigation process if the SEC first finds out from another source that the organization suffered a breach.

One important consideration is that the SEC’s proposed cybersecurity rule for public companies lacks a law enforcement exception; that is, an exemption from disclosure due to an ongoing law enforcement investigation by another government agency. If it is adopted as written, this means that public companies would have to disclose to investors material incidents within four business days of a materiality determination even if there is an ongoing confidential law enforcement investigation. Communicating with the SEC about a cybersecurity incident during the pendency of any materiality analysis, however, should not generally compromise the confidentiality of any other law enforcement investigations.

2. Open the dialogue involving the right people.

Experience counts when notifying the SEC about a cybersecurity incident, for both the organization and the SEC staff. To place your organization in the best possible position when engaging with the SEC, it is essential to retain counsel who know who to contact within the SEC and what information the SEC staff will seek, and who have a rapport with the staff. It is also essential that counsel have a plan regarding how to keep the SEC apprised without waiving privilege over an internal incident investigation. Similarly, it is extremely important to open the dialogue with SEC staff with cybersecurity expertise.

3. The SEC will want an update on your incident investigation and remediation plan.

Opening a dialogue with the SEC means being prepared to inform the agency of your organization’s current understanding of what has happened, what information has been compromised, and how the incident has affected (or is affecting) your business operations. The SEC will also want to know if the incident is ongoing or has been contained, and whether it has been remediated. At this early stage, before a materiality determination has been made, it is critical to share only facts that your organization knows, as opposed to what you hope will happen. Remember, your incident investigation will nearly always be privileged: share facts, not analysis.

The SEC will also want to know whether your organization is complying with its cybersecurity incident policies and procedures, whether you anticipate making a disclosure to investors (and, if not, why), and what steps you have taken to prevent insider trading on the basis of potentially material non-public information about the incident. It is critical that your organization have bespoke policies and procedures that ensure that information about an incident is appropriately escalated to senior management and others responsible for conducting materiality and disclosure analyses. The SEC’s 2018 cybersecurity guidance also makes clear that organizations must tailor disclosure controls and procedures to the known cybersecurity risks.[4]

4. Do not jump the gun when discussing materiality with the SEC.

The SEC’s proposed rules, enforcement actions, and public statements make clear that organizations must promptly assess the materiality of cybersecurity incidents. If adopted, the proposed rules will require public companies to disclose material cybersecurity incidents within four business days of a materiality determination and will require RIAs and other registrants to report to the SEC “significant cybersecurity incidents” within 48 hours of discovery. That said, a materiality analysis is fact-intensive, requires an incident investigation, and is nearly always privileged. Promptly mobilize your organization to analyze whether the incident is material or significant, as applicable, but understand that this could take time depending on the facts and circumstances.

Moreover, due to information-sharing among law enforcement agencies, the SEC often has information about trending cybersecurity threats that victim organizations do not. This potential information imbalance presents another reason to maintain a dialogue with the SEC as you get your arms around the facts and circumstances of your incident—as the SEC may be able to take steps to protect investors that will inure to your benefit later—but also underscores the need to avoid offering conclusions based on a less‑complete understanding of relevant facts than the SEC may already have.

5. Prepare to act quickly if your incident is material.

Finally, your incident investigation plan should include steps for how quickly you will both inform the SEC and disclose your incident to the public, if your organization deems the incident to be material or significant, as applicable.

Endnotes

1Release No. 33-11038, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (Mar. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf; Morrison Foerster Client Alert, “SEC Proposes Cybersecurity Disclosure Rules for Public Companies” (Mar. 11, 2022), available at https://www.mofo.com/resources/insights/220311-sec-proposes-cybersecurity-disclosure-rules. (go back)

2Release No. 33-11028, “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies” (Feb. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf; Morrison Foerster Client Alert, “SEC Proposed Rule Delineates Cybersecurity Policy Requirements for Investment Advisers and Private Funds” (Feb. 15, 2022), available at https://www.mofo.com/resources/insights/220215-new-sec-proposed-cybersecurity-rules. (go back)

3Office of Mgmt. & Budget, SEC, “Cybersecurity Risk Governance – Spring 2022” (last accessed Oct. 31, 2022), available at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3235-AM89; Office of Mgmt. & Budget, SEC, “Cybersecurity Risk Governance – Spring 2022” (last accessed Oct. 31, 2022), available at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3235-AN08. (go back)

4Release Nos. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf. (go back)

 

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>