2023 Data Security Incident Response Report Get the Full Report

Securities & Exchange Commission

Increased Regulatory Scrutiny of Cybersecurity Incidents

Historically, the enforcement actions related to security incidents brought by the SEC have been against investment advisers and broker-dealers. However, since 2021, there have been three cases that were resolved with companies agreeing to pay fines related to the adequacy of disclosures regarding material cybersecurity incidents and possibly another enforcement action on the way. According to SolarWinds’ October 28, 2022 Form 8-K, the SEC issued a Wells Notice to SolarWinds stating that the SEC had made a preliminary determination to recommend the filing of an enforcement action against SolarWinds alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.

The SEC’s increased focus on cybersecurity is clear – starting with a January 2022 speech by SEC Chairman Gensler and the announcement that it is adding 20 positions to the Crypto Assets and Cyber Unit. Overall, the SEC investigations and enforcement actions increased in 2022. The SEC filed 462 new enforcement actions, a 6.5% increase from the previous year.

Proposed Rules on Cybersecurity Disclosures

In that same January 2022 speech, SEC Chairman Gensler identified the following areas where he anticipated the SEC increasing regulation in connection with cybersecurity:

  • Updates to Regulations SCI and S-P, impacting SEC registrants;
  • A significant increase in disclosure requirements impacting public companies; and
  • Potential new measures to address cybersecurity risks from service providers to include potentially regulating third-party providers.

Following these comments, the SEC released proposed rules intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cyber incident reporting by companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. In its press release, the SEC stated the proposed rules are intended to:

  • Provide timely notification of material cybersecurity incidents;
  • Better inform investors about such companies’ risk management, strategy, and governance; and
  • Enable investors to assess the possible long- and short-term financial or operational effects of a material cyber incident.

3 out of 118 incidents involving companies registered with U.S. or other international stock exchanges resulted in a disclosure of a material event.

The proposed rules would add new Item 1.05 to Form 8-K and require disclosure of material cybersecurity incidents within four business days of determining the event is material. In addition, proposed amendments to Regulation S-K, Form 10-K, and 10-Q would require:

  • Updated disclosure regarding previously reported material incidents and disclosure of unreported incidents that have become material in the aggregate, and
  • Periodic reporting about the following:
    • An issuer’s policies and procedures to identify and manage cybersecurity risks;
    • The issuer’s board of directors’ oversight of cybersecurity risk;
    • Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures; and
    • The board of directors’ cybersecurity expertise, if any.

The SEC’s 2018 guidance on cybersecurity disclosures makes it clear that companies must evaluate cybersecurity incidents using both a quantitative and qualitative analysis, as the materiality of a cybersecurity risk depends on its “nature, extent, and potential magnitude, particularly as [it] relate[s] to any compromised information or the business and scope of company operations…and the range of harm that such incidents could cause.” While the four-day obligation to file an 8-K disclosing a material cybersecurity event received the most attention from commentors in response to the SEC’s proposed rules, it may be the easiest of the new rules to comply with. The new cybersecurity risk management strategy disclosure obligation may be the most challenging of the new requirements because it may be difficult for companies to meaningfully and accurately describe their security strategy without providing too much detail.

Take Action:
Develop Effective Disclosure Protocols.

Define a protocol in the incident response plan

to ensure that incidents that may be material get escalated to the disclosure committee (e.g., for all incidents classified as “high” or “critical,” the legal team representative will consider at appropriate intervals whether to review with the disclosure committee).

Ensure that the internal team responsible for SEC filings checks with key incident response team members

before filing the next K or Q to determine if there are any investigations underway or anything that would make forward-looking cybersecurity risks or cybersecurity risk management strategy disclosures inaccurate.