Practical Steps to Reduce SEC Cyber Risk in 2024

Practical Steps to Reduce SEC Cyber Risk in 2024

January 9, 2024, Covington Alert

For public companies subject to the jurisdiction of the U.S. Securities and Exchange Commission (“SEC”), 2023 marked a significant shift in the landscape of cybersecurity legal risks. The SEC not only finalized its new Cybersecurity Rules (the “Rules”)[1], but also continued actively pursuing cybersecurity enforcement actions, including against SolarWinds and its Chief Information Security Officer (“CISO”).[2] This alert highlights eight practical steps that public companies (including foreign private issuers) should consider for 2024 planning in light of these developments.[3]

1. Include or update cybersecurity risk governance disclosures in annual reports to reflect accurately the company’s board and senior management risk oversight and management processes.

• Under the Rules, a registrant’s Form 10-K or 20-F filing must now include a description of the board’s and senior management’s oversight of cybersecurity risks, including identifying the individuals or groups responsible and the processes in place to keep them apprised of these risks.
• When preparing Forms 10-K or 20-F to incorporate these requirements, companies should keep in mind the SEC’s demonstrated appetite for scrutinizing companies’ pre-incident cybersecurity risk management practices and related disclosures. Consider pressure testing planned Form 10-K or 20-F disclosures to ensure they match a company’s practices (for example, that the processes to keep senior management apprised of cyber risks are followed in practice, and documentation can be provided to demonstrate this if needed).

2. Work with key company personnel to resolve documented cybersecurity “red flags” and provide training on best practices for internal documentation.

• The SEC’s SolarWinds complaint describes in stark detail the dangers of creating unfavorable internal documentation regarding cybersecurity risks, especially those that have not been addressed. Consider prioritizing the resolution of cybersecurity “red flags” that have previously been documented but not remediated. If such “red flags” cannot be remediated in a reasonable period, consider creating a written roadmap for remediation that includes timelines and milestones.
• Consider how best to provide senior management and the board of directors with information on cybersecurity risks without generating documentation that prompts second guessing by litigants and regulators. For example, consider providing training on best practices for internal documentation and working with key personnel to protect appropriate materials under privilege, if it’s being created for the purpose of seeking or providing legal advice.

3. Assess whether your company has an updated list of “crown jewel” information and technology assets and whether they are appropriately protected.

• The SEC’s SolarWinds complaint, along with commentary in the Rules’ adopting release, make clear that companies are expected not only to identify their “crown jewels,” but to take appropriate action to protect them. Specifically, the SEC’s complaint faulted both SolarWinds and its CISO for not disclosing to the investing public known risks facing products and services that it had identified as among its “crown jewels.” Similarly, the Rules’ commentary suggests that if a cybersecurity incident impacts a company’s “crown jewels,” that information might be sufficient to make a materiality determination even before the company has “complete information” about the incident.
• Consider identifying your organization’s “crown jewels” (or re-evaluating an existing list) to ensure the list is updated and not overly broad. Also consider prioritizing efforts to identify cybersecurity risks regarding crown jewels and the controls that protect them.
• The SEC’s SolarWinds complaint also treated a company’s “crown jewels” as key assets and the company’s safeguards to protect against unauthorized access to those assets as part of the company’s internal accounting controls (which were alleged to be inadequate).

4. Assess whether (and how) existing incident response plans and disclosure control procedures should be integrated to meet new current report disclosure requirements.

• The Rules require companies to disclose a cybersecurity incident on Form 8-K within four business days of determining that the incident is material and further state that the materiality determination cannot be unreasonably delayed. As a result, in the event of a cybersecurity incident, companies will need to assess materiality rapidly in accordance with their disclosure controls and procedures and, if assessed material, draft and file accurate disclosures, all while the underlying facts are likely changing and the company is simultaneously identifying and complying with other notification obligations.
• Consider how disclosure controls and procedures and incident response plans should work together to address the new current report disclosure requirement. Specifically, consider identifying who would be responsible for ensuring the two processes will be linked, who makes the ultimate decision on which facts to base the disclosure decision, and who must approve that disclosure before a current report is filed.

5. Exercise pre-incident response procedures to specifically test various disclosure (and other mandatory notification) scenarios.

• Consider pre-incident testing of response procedures – now an accepted cybersecurity best practice. This is particularly important because the reporting requirements in the Rules and other recent and forthcoming notification requirements across industries could overlap and require rapid and orchestrated action among a wide range of stakeholders.
• Consider scheduling and structuring an exercise for senior management and directors that specifically addresses disclosure, notifications, and communications more broadly, so key stakeholders can either gain comfort in existing procedures or identify improvements to cover the likely issues to be faced during a cybersecurity incident. Part of that exercise can be to develop and practice procedures for notifying the Federal Bureau of Investigation (“FBI”) in the event that law enforcement outreach is determined to be appropriate.[4] It can also help expedite reliance on the provision in the Rules permitting a company to delay its reporting of a cybersecurity incident.

6. Provide support for senior leaders managing cybersecurity risk.

• As the SEC’s enforcement action against the SolarWinds CISO demonstrates, the SEC (among other regulators) is increasingly focused on the actions taken by individuals in roles with key cybersecurity risk management responsibilities. The SEC’s new disclosure requirements obligate companies to share more details about individuals in these roles.
• Consider what additional support should be provided to individuals in these roles to protect against legal and regulatory risk, such as advising them on how to document and address sensitive discussions of cybersecurity issues to reduce downstream legal risk.
• Consider reviewing Director & Officer insurance and similar coverage to assess whether sufficient coverage is in place for individuals who occupy these key roles.

7. Anticipate that incident response procedures and cybersecurity program policies and procedures might be considered part of a company’s internal accounting controls and disclosure controls and procedures.

• The SEC’s SolarWinds complaint included allegations that the company lacked adequate internal accounting controls and disclosure controls, and that the CISO aided and abetted those violations. Cybersecurity controls may, as a result, be encompassed by CEO/CFO certifications in periodic reports, as well as auditor attestations. At a minimum, companies should have processes for making reasoned disclosure decisions that include all appropriate stakeholders.

8. Expand the internal audience for vetting external statements related to the cybersecurity of products and systems.

• Recent SEC enforcement actions have focused on the accuracy of companies’ statements regarding cybersecurity risk and incidents, especially as the underlying facts change. In its SolarWinds enforcement action, the SEC alleged that the company and its CISO made false and misleading statements and omissions that were material to a reasonable investor. The SEC focused not only on SEC disclosures, but also customer and consumer-facing representations. This comes in the wake of a prior enforcement action against Blackbaud alleging that the company failed to account for the changing facts of an incident in its SEC filings, and in the midst of the promulgation of many other short-deadline notification rules that will require companies to rapidly draft and disseminate to stakeholders information about incidents.
• Anticipating that the SEC (and other regulators) will scrutinize external statements about cybersecurity, companies should consider broadly vetting representations about cybersecurity capabilities, vulnerabilities, and risks with internal stakeholders. Specifically, companies that market products, services, or systems as being secure or meeting a certain standard should ensure such statements are accurate and consistent across all external sources, including SEC filings.

For further information on these developments, please contact the members of our Data Privacy and Cybersecurity and Securities and Capital Markets practices.