No Phishing Allowed at the Lake: Are the SEC’s New Cybersecurity Requirements Helping or Hurting Corporations?
In 2023, the threat of cyberattacks continued to escalate. (Kim Nash, Wall Street Journal). Reports of cyberattacks, such as the cyberattack on Cisco IOS XE devices, dominated the news cycle. (Kyle Alspach, CRN). In response, the Securities and Exchange Commission (“SEC”) implemented new regulations which heightened disclosure requirements for corporate cybercrime risk management. (James Rundle, Wall Street Journal). As of December 15, 2023, the SEC is requiring companies to disclose management of cyber risk in their annual reports, also known as 10-Ks. Id. Additionally, companies must report significant cyberattacks to the SEC in a Form 8-K within four calendar days of discovering a “material” cyberattack. (James Rundle, Wall Street Journal). Federal case law has defined “material” as any potential harm that has a “substantial likelihood” that an investor thinks would have “significantly altered” the information made available. (Kate Azevedo, Bloomberg Law). Ultimately, the SEC’s new requirements for company disclosures on cybersecurity represent an outstanding strategy to enhance companies’ awareness and readiness against cybercrime.
These new restrictions have been met with both admiration and criticism from leaders in the corporate world. (James Rundle, Wall Street Journal). The first criticism comes from companies concerned that the requirement to disclose their cybersecurity infrastructure simultaneously reveals that valuable information to hackers. Id. Keith Billotti, a partner at Seward & Kissel, stated that companies now need to be very careful on what to disclose. Id. Billotti explains that the danger is for companies to over disclose, thus opening themselves up for all sorts of liability. Id.
The second, and more scurtinized, area of criticism surrounds the four-day deadline to report the “material” effects after a cyberattack in an 8-K, which critics are calling unrealistic and constraining. Id. For instance, Clorox was among the first major companies to experience a cyberattack after the SEC instituted the new 8-K requirement. (Kim Nash, Wall Street Journal). Clorox reported that it was impractical to quickly determine the “material” effects of the attacks, especially when impacts may still be unknown for weeks afterward. Id. Clorox added that for many companies, analyzing the “material” effects of cyberattacks is uncharted territory. Id. Joe Nocera, lead partner of cyber, risk and regulatory marketing at PwC US, opines that “the requirement that incidents be disclosed within four business days will be a heavy lift for companies.” (David Jones, Cybersecurity Dive).
Interestingly, the support for the SEC’s new requirements outweighs the criticism. Richard Suls, security and risk management consultant for WithSecure, says the new requirements “[have] several potential benefits for both investors and the overall security landscape.” (Eduard Kovacs, Security Week). He explains that mandatory disclosure in a specific timeline will enhance transparency and accountability, incentivising corporations to invest in more cybersecurity measures. Id. Kate Azevedo of Bloomberg Law conducted a study and concluded that 79% of corporations already report a cyberattack within 13 days, with 46% reporting within four days. (Kate Azevedo, Bloomberg Law). Importantly, the four-day period to disclose in an 8-K starts when a corporation determines that the cyberattack is “material”, not when the cyberattack is discovered. Id. Azevedo says that this four-day period to report after discovering that the cyberattack is material is more than enough time for a corporation to file. Id.
In fact, most corporations have already been practicing disclosing “material” impacts of cybercrime even before the new requirements were enacted. Id. For example, Voya Financial (“Voya”) has seamlessly implemented the new SEC disclosure regulations alongside their existing practices. (James Rundle, Wall Street Journal). Stacy Hughes, the chief information security officer of Voya, states that Voya drafted 10-K disclosures for its cybersecurity risk management program months ago, and has integrated the 8-K requirement into its preexisting incident-response plan. Id. Stacy Hughes says that the cybersecurity steering committee of Voya meets every other month and provides information to the board and senior management, causing the disclosure of cybersecurity programs in the 10-K to be drafted months before the 10-K is due. Id. Corporations such as Voya already have materiality committees that assess the impact of cyberattacks. Id.
Many macro trends will continue to increase the risk of cyberattacks, and regulations will need to respond swiftly. Most pressing, the threat of cyberattacks on corporations will continue to increase as artificial intelligence (“AI”) becomes more prevalent in the workplace. (Kim Nash, Wall Street Journal). Hackers will use AI to create better phishing attacks, while software developers will use AI to more accurately and efficiently identify risk. (Nuvolum). Another macro trend to consider is the increase in remote workers. Id. Since COVID-19, many corporate employees insist on working remotely, leading them to use personal devices that are not in their companies’ network security policy. Id. These devices are left unscanned, providing an opportunity for hackers. Id.
Overall, the benefits of the heightened protections greatly outweigh the burdens of the new disclosure requirements on corporations. Attorneys and compliance professionals must be proactive in articulating corporations’ cybersecurity programs on 10-Ks, paying particular attention to what attacks are considered “material.” (James Rundle, Wall Street Journal). To report on the “material” effects of a cyberattack, attorneys and compliance professionals need to pay close attention to any part of the company that a reasonable investor might consider when making an investment, such as the financial metrics. (Kate Azevedo, Bloomberg Law). Finally, it is important to remember that many corporations have existing procedures in place, making compliance with the disclosure requirements relatively simple. (James Rundle, Wall Street Journal).